Securing Your Security Budget: A Failure To Communicate

With increasingly sophisticated exploits and well-informed adversaries targeting systems and data – fighting for more security budget is essential. Too bad, then, that management doesn’t always agree.

With increasingly sophisticated exploits and well-informed adversaries targeting systems and data – fighting for more security budget is essential. Too bad, then, that management doesn’t always agree.

Why doesn’t management always see the threats same as many security processionals?  Maybe the problem isn’t (always) with management. Perhaps, to borrow a line from the famous 1967 movie, Cool Hand Luke: “What we’ve got here is failure to communicate.”

For starters, senior business managers may not actually hear what security managers are trying to say. Second, executives are not trusting of what they’re told. In fact, as a group, executives don’t trust much of the advice brought to them from IT, and they certainly don’t trust salespeople and the stacks of vendor collateral they carry. Once in awhile, however, chief information and financial officers will trust the advice of their IT staff. The message:

Win trust, then maintain credibility
“Don’t B.S. them,” says the CISO at a technology services company based in the northeastern US, who requested not to be attributed.  “Put things in straightforward terms.  Personal brand damage is something they well understand,” he says. “However, (the importance of) a compromise of a random development system is much harder for them to grasp,” he says.

“I think every CIO and CFO is different,” says Andy Ellis, senior director of information security and chief security architect at Akamai Technologies.  “However, they all tend to look for your long term credibility.” In other words: beware of acting like the ‘boy who cried wolf, Ellis advises. “If you are always claiming that the latest risk is the scariest thing ever and you have to have more budget to solve it, after a while, they’re going to look askance at you.  If instead you downplay the outrageous and unlikely, you’ll have more credibility for the important things,” Ellis says.
Positioning Is Key
“There is no ROI model for security products, so it’s far better to position the expenditure as an enablement,” advises Adrian Lane, security analyst and chief technology officer at the research firm Securosis. Oftentimes technologies that help streamline efforts can be easily justified. “Such is the case with most compliance requirements,” says Lane. “In some rare cases it can be shown to save time, and thus money. For example, I have actually witnessed certain technologies automate Sarbanes-Oxley data collection, analysis and reporting in such a way that it saved internal auditor time, as well as provided external auditor with enough data to slightly reduce the time and scope of their audit,” he says.

But with direct ROI difficult to prove, its best to focus on commonly recognized objectives and then to give management choices. “Explain to them that if they spend A amount, then you can achieve X. If they spend B amount, then we can do Y. However, if we can only fund C, we can only achieve Z,” says Lane. Most important: detail the business trade offs with each option. Avoid the mistake many new security managers make: assuming that security in and of itself is a desirable goal and offering management a stark choice of “secure everything or die.” That, says Lane, is not a compelling argument.
Stay aligned with the business
Another mistake some security managers make is to veer away from the message of the business. “Too often, security managers let security risk get divorced from business risk, and then budgets get split as well,” says our anonymous CISO.  “If, for instance, a new project is going to introduce new risk, then
the budget for its security controls needs to be included in the budget
for implementation.  This is hard, but needs to be the goal; if not,
you’re implementing controls for last year’s problem,” he said.

“It does sound like a cliché,” adds Lane. “But security managers often have no idea how to justify their budget as a positive for the company. Their budget requests read like a disaster recovery manual. They simply don’t have the skill to speak the language of their peers,” he says.

That’s not a gap in presentation skills, but a failure to adequately prepare, Lane adds. And there are quick ways to fill it: Security managers need to understand what other operations and new initiatives are taking place within their organization. They need to listen to upper management and understand what they are trying to accomplish. “Have you researched what similar companies have done to solve problems you face? Have you met with your peers to understand what they are trying to accomplish, and maybe have them back your requests?” asks Lane.

The next time a budget item doesn’t get approved, rather than cursing management for their not understanding, check your preparation and your argument and make sure you make the best case possible next time.

Suggested articles

Discussion

  • Anonymous on

    I agree that communication and the ability to present are sometimes lacking. Really though, it's been 2 decades of getting owned. The real problem is that people don't listen to the technical folks and non-technical policy makers have infiltrated security too deeply. Get rid of people that can only talk about security and get people who can talk AND do something about it. If I see another "architect" or "policy analyst" that doesn't know the difference between IPS and a firewall or can't intelligently discuss the OSI model yet they run an infosec program I might just move to the desert where the ineptitude can't touch me.

    Plenty of orgs don't even have a CISO and when they do, the CISO reports to the CIO. That's broken, they should be equals in every organization. Some govt orgs don;t even give their infosec groups independent budgets and if they do it only covers personnel. This stuff has been talked to death and I know these manager aren't idiots. They are trying to squeeze every last dollar of profitability out of their enterprise and security sometimes has to get jacked b/c of it.

  • Anonymous on

    I agree with the notion that it usually boils down to communication.  In my experience it tends to mostly be a problem with expressing the security value proposition in terms that management cares about.  Conceptually (and practically) the value proposition for any security measure is its ability to affect the frequency and/or magnitude of loss.  Not surprisingly, management does care about loss because it affects the bottom line.  So, when I've credibly expressed the value of a proposed security measure in those terms, I tend to get better support from management.  The challenge, of course, is credibly estimating the effect of a security measure.  The only method I've seen so far that makes that possible is FAIR.  Everything else seems to fall short.

  • Anonymous on

     3<br />

      Adidas founder Adolf Dassler (Adolf Adi Dassler) president, is a shoemaker who  has the status of athletes and German technology. Because <strong><a href="http://www.trendsneakers.com/adidas-c-107.html">buy adidas new arrivals  shoes</a></strong> can not fully understand the needs of  athletes, some of the know-how delicate and inventive genius, his life more  than 700 kinds of sports-related invention patents, it created the German  article Adidas sports empire. Mr. Dassler shoes by hand in 1920, then, athletes  often wear the world, Mr. Dassler sports shoes produced award-winning Olympics,  so his fame gradually stronger in the international arena. <strong><a href="http://www.trendsneakers.com/adidas-running-shoes-c-107_65.html">2011 new Adidas Running Shoes</a></strong> in 1972, became a symbol, then all products using the Adidas logo.  Clover-shaped three-dimensional map of the Earth plane as one of the world  began, it symbolizes the three-band extended around the world. But in 1996, the  clover logo is specifically used in the classic series of original products.  Adidas Classics Series is to choose the best in history as part of its fabric  and a little re-release style products. More fashionable products, including  footwear, apparel and a full range of bags and other accessories. Perhaps is  because each person has a unique set of the classic story, it always seems the  case with the sense, always new vitality and elegance of the classic series.  The fall of 2002, Adidas in China,  the first series of limited edition classic. From clothes to shoes to  accessories, the design of each shop, <strong><a href="http://www.trendsneakers.com/adidas-climacool-ride-m-shoes-green-p-278.html">Adidas  Climacool Ride M Shoes Green</a></strong> drive the tendency for people to fertility. Shoes adicolor color series that is  the most abstract theme, perhaps the comic in the shoes of each color is worth  pondering a moment, remove the torn blue line (this is the first use of  technology in the famous movie &quot;Tron&quot; design department is modeled in  the image), is more abstract, and five other cartoon characters have their own  story. <br />

     

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.