It's a reasonable assessment to think that budgets will be cut. In tight economic times, even the security team has to tighten the belt and try to do more with less. Yes, even if not everything is done. So accept the fact and move forward from there.
The first key to surviving in a down economy is to focus on what's important. How do you know what's important? Ask the senior management team. Ask about the priorities of the business, pose your own questions and make sure they understand what can and can't be done with the resources you have. This will provide great insight into what can be put off and what can't. Once it's clear what absolutely needs to be protected, then start working scenarios to make sure it happens.
Before this meeting, it's a good idea to build three different funding scenarios. The first is what's necessary to really get the job done. This will probably not happen, but showing the fully funded option is good for comparison's sake. The second scenario should focus on what gives reasonable comfort that key assets will be adequately protected. This is the situation to push for, but don't be too disappointed if it doesn't happen. Remember, times are tough.
Lastly, build the worst-case scenario. This is the absolute minimum level of funding needed to protect critical assets. Also, be clear and detailed about what could happen if the security team doesn't get at least this minimum level of funding.
Bonus scenario: When presenting the above three scenarios to the management team, I suggest having a fourth scenario, a "pull the rip cord" scenario ready. This would be the smallest amount of money possible to allow for any chance of success. If the senior team won't give this level of funding, then it's time to look for another job, because it's only a matter of time before key data and systems are compromised, and it's not a good idea for your career to be there when it happens.
- Learn more about getting information security buy-in from the executive team.
- What are the top five lessons in security management? Read more.
Dig Deeper on Information security program management
Related Q&A from Mike Rothman
The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ... Continue Reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.