When
Each fiscal year.
Why
What percentage of the IT budget pertains to security? Don't know where to start? Afraid of ROI? With April 15 comes thoughts about money and, naturally, budgets. Like many organizations, the money being spent this year was probably planned two fiscal-year cycles ago. Find out if you, as an officer in the company, are personally liable if the company is charged with an offense, especially if the charges result from failing to implement your security-related recommendations. If your budget is continually cut due to shortsightedness from upper management, be prepared to leave the company, but know also when to fall on your sword.
Strategy
Florindo Gallicchio, a CISSP and the security practice manager for Melillo Consulting, offers a great argument for security: "Security is not a technology issue -- it's a business issue. Security uses technology to protect business assets, ideally all of which you have accounted for in your policy and are now practicing." Need more storage space, for example? An IT approach like "we need a larger server to store information" will not likely get increased funds. However, this may: "The Sarbanes-Oxley law requires we maintain all audit-related records, including electronic ones, for up to seven years. Our current storage capacity is only for eight months at our present rate. We need to expand so we don't fail our audit. Passing our audit will keep our stock price strong." Executives understand this.
What was projected last year? And the year before that? Is your organization new? Find someone in an organization close to the size and mission of yours and ask questions. What wasn't planned for that was needed, and vice versa? Organizations merging? Take the larger of the two estimates, of course! Each week, write down what expenses were involved in your department, or what you would like to see spent. What did you "make do" with this year? Did an executive tell you "it's not in the budget this year"? Ask to see the budget, because you have to plan for next year.
The first time I drafted a budget, I noted what was working and what was missing when I joined the organization, and what I thought it needed for the next year or two. I put down numbers based on logic and the past. Then the accounting people, the division manager and the acquisition people tested, reduced, spindled and mutilated those numbers many, many times over the course of folding them into the budget projections. So just do your best. Allocate money for: license renewals; upgrades; new technology; more storage and back-up space; repairs; contingency planning; data insurance; leasing/buying equipment; short-term support; distance/access provider services; maintenance support; training; and supplies, etc.
Another way to look at it: What items/functions/technologies need to be considered immediately? What needs to be considered for next year? What technology won't deliver a tangible ROI for 18-24 months? And what technology needs to be programmed for a five-year and/or 10-year plan?
More information
See your accounting department, auditors, colleagues at other companies and professional groups promoting industry standards. New item to consider: Forensics is still on the fence, but will probably come into its own in 12-18 months. What other concepts are floating around the edges of your industry? Think about when in the course of your organization's plan and mission these concepts will take more and more precedence.
About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:securityplanner@infosecuritymag.com
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.
Last week: Spring cleaning -- Part 3: Data
Next week: Configuration management
