How to frame a security budget request
The easiest way to align network security plans and practices with the business requirements of your organization is to frame network security budget requests correctly. This requires a team that is familiar with both security requirements and the business itself.
Allow me to illustrate this with an example: Joe is a security administrator who strongly feels the installation of an intrusion prevention system (IPS) on the corporate network would reduce the risk of successful attacks. Joe must make the case to Mary, the CIO, who would approve the security budget request. Mary is a seasoned CIO with an MBA who came up through the ranks of application development to reach the corner office. Joe walks in for his meeting and says: "Mary, we're receiving an unprecedented number of HTTP port scanning reconnaissance attacks through our perimeter firewall. Recent news indicates that SQL injection attacks are on the rise and I believe these attackers are performing reconnaissance in an attempt to identify database vulnerabilities. We need to buy an intrusion prevention system to mitigate this risk." How well do you think Joe did in his meeting? More than likely, both Joe and Mary left that meeting frustrated: Mary didn't understand what Joe was talking about and Joe didn't get his budget request.
Now, imagine a slightly different scenario. Joe has done an analysis of the business requirements and framed his questions correctly before making his budget request. This time, he walks into Mary's office and says: "Mary, as you know, our organization does quite a bit of credit card processing. We have a database that stores this information and I'm worried that it might be vulnerable to attack. We've seen signs that attackers from Asia are trying to identify vulnerable Web applications that might give them a path to our credit card data, and I think we need to block these attacks. The system we need to do so costs $50,000, but it reduces our exposure to attacks on our credit card data. If such an attack were successful, we'd have a major reputational problem on our hands, and we'd also be subject to fines that could range into the millions of dollars."
This approach appeals to Mary's business sense and frames the request in terms of the needs of the business. This time, Joe walks away with an approved budget request and both Joe and Mary sleep well with the knowledge that their significant investment is serving to protect them against a clear risk.
Allocating time and resources
In addition to using business requirements to frame requests, you should also use them to help allocate the limited time and resources available to you. This can be a simple cost/benefit calculation exercise that helps you decide which projects and maintenance tasks take priority. Again, let's consider an example:
Joe holds a weekly staff meeting with his four security engineers, and they're debating which of two projects should take priority:
- Installation of firewalls at remote offices that will allow the field sales staff to securely access the organization's central file-storage repository.
- Installation of antivirus management software that will reduce the amount of time the security staff spends managing its antimalware systems.
Both of these are worthy initiatives and it's easy to make a security or business case for either in isolation. However, the team only has time to implement one. How is Joe to choose?
Assuming that everyone in the organization is paid the same rate (this is too simple for the real world; you'll want to plug in actual salaries if you have them), it's clear from this cost/benefit analysis that the firewall installation is the project that will save the most money in the long run. If you consider the security benefits of both projects to be equal, the firewall project should be implemented first and the antivirus management project should come later.
Hopefully, this tip has given you a few ideas that will help you think about security within the context of your business. Remember, as with any support function, information security should always exist to serve the needs of the business, rather than the other way around!
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
This was first published in October 2009