It's a reasonable assessment to think that budgets will be cut. In tight economic times, even the security team has to tighten the belt and try to do more with less. Yes, even if not everything is done. So accept the fact and move forward from there.
The first key to surviving in a down economy is to focus on what's important. How do you know what's important? Ask the senior management team. Ask about the priorities of the business, pose your own questions and make sure they understand what can and can't be done with the resources you have. This will provide great insight into what can be put off and what can't. Once it's clear what absolutely needs to be protected, then start working scenarios to make sure it happens.
Before this meeting, it's a good idea to build three different funding scenarios. The first is what's necessary to really get the job done. This will probably not happen, but showing the fully funded option is good for comparison's sake. The second scenario should focus on what gives reasonable comfort that key assets will be adequately protected. This is the situation to push for, but don't be too disappointed if it doesn't happen. Remember, times are tough.
Lastly, build the worst-case scenario. This is the absolute minimum level of funding needed to protect critical assets. Also, be clear and detailed about what could happen if the security team doesn't get at least this minimum level of funding.
Bonus scenario: When presenting the above three scenarios to the management team, I suggest having a fourth scenario, a "pull the rip cord" scenario ready. This would be the smallest amount of money possible to allow for any chance of success. If the senior team won't give this level of funding, then it's time to look for another job, because it's only a matter of time before key data and systems are compromised, and it's not a good idea for your career to be there when it happens.
- Learn more about getting information security buy-in from the executive team.
- What are the top five lessons in security management? Read more.
This was first published in October 2008