It's a fact of life that security professionals may never get the budgets they want to make their organizations secure. But educating management about the value of security will go a long way toward getting the resources they need.
Factors like the Nimda and Code Red worms, September 11 and new federal data-retention regulations have given security professionals more leverage when asking for more bucks for security. And it seems the urgency of their requests for security dollars is being heard at high levels -- at least in some organizations.
According to a recent Information Security magazine survey, 51% of organizations have increased their security spending since September 11. This year, about 54% of security pros got more money for security.
Many security pros said getting money to secure a company is an uphill battle -- but it used to be worse. "There's the mentality that [security incidents] 'will never happen here,'" said Jeff Wichman, security administrator for School Specialty Inc., a wholesale and resale school supply company based in Greenville, Wis. The company largely consists of "old-school executives" who are just starting to see the picture, but they aren't there yet.
According to Michael Rasmussen, director with Cambridge, Mass.-based Forrester Research, there are three ways companies view security: as an annoying and inconvenient cost, as a form of risk management and as a strategic enabler.
For companies in the first camp, security is something that is bought, installed and forgotten about. In such a company, a security manager may get some money in the budget for a device like a firewall. But when a new threat emerges and more money is needed, the manager may be told, "Wait a sec; we gave you money for security as a line item in a budget," Rasmussen said.
Companies still mired in this line of thinking will likely see security as being inconvenient. In other words, security is equated with not being able to do things.
More enlightened companies, however, see security in terms of managing risks. "They see security as an insurance policy for the business," Rasmussen said.
Management at these types of organizations understand that security breaches can severely damage a company, much like a major fire or natural disaster would. "All we need is one public incident and the stock goes down," said Shannon Johnson, technology strategist for an East Coast financial company. "There's definitely support from the CEO because there's more money in the budget."
Events such as the Code Red and Nimda worms and September 11 have shown executives that there are real threats in the world.
There is also a positive way to view security, as an enabler. Proper security controls can make a company more efficient and effective, Rasmussen said. It is the security professional's job to communicate how improving security will help the company. "They need to work with the business, not against it," he said.
Rasmussen compares what security pros have to do with what he does to get his 6-year-old son to take some medicine. "I don't shove it down his throat, but tell him that if he doesn't take it and get better, then we will have to take him to the hospital to get a shot," he said.
Now, for many companies, being more secure is not a choice. Having to comply with security-related laws such the Health Insurance Portability and Accessibility Act and the Gramm-Leach-Bliley Act is like taking medicine. If they don't comply by installing the proper controls mandated by the regulations, then they may find themselves getting shot with big fines.
At Christus Health, a network of hospitals and clinics based in Texas, security was always a priority, but it took HIPAA to convey the seriousness of electronic security, said Evelyn Briggs, director of security. "Facilities that aren't quite into high technology understand the basics, but may not understand the back end. But if you relate it to the business side, then they do."
Christus Health has done a lot of work in the three different components of HIPAA. She has CEO support from all of the facilities. "From a corporate perspective, it's just a matter of bringing them all up to compliance" with HIPAA, she said.
Briggs also enlists the help of end users. "The biggest hurdle is establishing a basic level of education" among users, she said, noting that Christus Health has mandatory security education. "We give them a sense of ownership and an understanding of how important the information really is."
Getting management to understand the value of security also means educating them about the many facets of it, including end-user involvement. There is no way to make systems into "impregnable technology fortresses," Rasmussen said. "If there are people behind desks who don't understand security, the information will leak out no matter how secure your systems are."