Problem solve Get help with specific problems with your technologies, process and projects.

What are some tips on protecting my security budget in a poor economy?

When times are tight, the executive managers begin to cut funding across the company. What are some important steps to take to make sure the budget for information security is still enough to keep data secure? In this security management expert response, learn how to get the funding you need.

It looks like the Wall Street crisis is going to have a long-lasting effect on the entire economy, so as a security manager I'm expecting to be asked to cut my budget. Do you have any tips to help me protect my budget, especially since we don't have all our bases covered as it is?

It's a reasonable assessment to think that budgets will be cut. In tight economic times, even the security team has to tighten the belt and try to do more with less. Yes, even if not everything is done. So accept the fact and move forward from there.

The first key to surviving in a down economy is to focus on what's important. How do you know what's important? Ask the senior management team. Ask about the priorities of the business, pose your own questions and make sure they understand what can and can't be done with the resources you have. This will provide great insight into what can be put off and what can't. Once it's clear what absolutely needs to be protected, then start working scenarios to make sure it happens.

Before this meeting, it's a good idea to build three different funding scenarios. The first is what's necessary to really get the job done. This will probably not happen, but showing the fully funded option is good for comparison's sake. The second scenario should focus on what gives reasonable comfort that key assets will be adequately protected. This is the situation to push for, but don't be too disappointed if it doesn't happen. Remember, times are tough.

Lastly, build the worst-case scenario. This is the absolute minimum level of funding needed to protect critical assets. Also, be clear and detailed about what could happen if the security team doesn't get at least this minimum level of funding.

Bonus scenario: When presenting the above three scenarios to the management team, I suggest having a fourth scenario, a "pull the rip cord" scenario ready. This would be the smallest amount of money possible to allow for any chance of success. If the senior team won't give this level of funding, then it's time to look for another job, because it's only a matter of time before key data and systems are compromised, and it's not a good idea for your career to be there when it happens.

More information:

This was last published in October 2008

Dig Deeper on Information security program management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.