With increasingly sophisticated exploits and well-informed adversaries targeting systems and data – fighting for more security budget is essential. Too bad, then, that management doesn’t always agree.
Why doesn’t management always see the threats same as many security processionals? Maybe the problem isn’t (always) with management. Perhaps, to borrow a line from the famous 1967 movie, Cool Hand Luke: “What we’ve got here is failure to communicate.”
For starters, senior business managers may not actually hear what security managers are trying to say. Second, executives are not trusting of what they’re told. In fact, as a group, executives don’t trust much of the advice brought to them from IT, and they certainly don’t trust salespeople and the stacks of vendor collateral they carry. Once in awhile, however, chief information and financial officers will trust the advice of their IT staff. The message:
Win trust, then maintain credibility
“Don’t B.S. them,” says the CISO at a technology services company based in the northeastern US, who requested not to be attributed. “Put things in straightforward terms. Personal brand damage is something they well understand,” he says. “However, (the importance of) a compromise of a random development system is much harder for them to grasp,” he says.
“I think every CIO and CFO is different,” says Andy Ellis, senior director of information security and chief security architect at Akamai Technologies. “However, they all tend to look for your long term credibility.” In other words: beware of acting like the ‘boy who cried wolf, Ellis advises. “If you are always claiming that the latest risk is the scariest thing ever and you have to have more budget to solve it, after a while, they’re going to look askance at you. If instead you downplay the outrageous and unlikely, you’ll have more credibility for the important things,” Ellis says.
Positioning Is Key
“There is no ROI model for security products, so it’s far better to position the expenditure as an enablement,” advises Adrian Lane, security analyst and chief technology officer at the research firm Securosis. Oftentimes technologies that help streamline efforts can be easily justified. “Such is the case with most compliance requirements,” says Lane. “In some rare cases it can be shown to save time, and thus money. For example, I have actually witnessed certain technologies automate Sarbanes-Oxley data collection, analysis and reporting in such a way that it saved internal auditor time, as well as provided external auditor with enough data to slightly reduce the time and scope of their audit,” he says.
But with direct ROI difficult to prove, its best to focus on commonly recognized objectives and then to give management choices. “Explain to them that if they spend A amount, then you can achieve X. If they spend B amount, then we can do Y. However, if we can only fund C, we can only achieve Z,” says Lane. Most important: detail the business trade offs with each option. Avoid the mistake many new security managers make: assuming that security in and of itself is a desirable goal and offering management a stark choice of “secure everything or die.” That, says Lane, is not a compelling argument.
Stay aligned with the business
Another mistake some security managers make is to veer away from the message of the business. “Too often, security managers let security risk get divorced from business risk, and then budgets get split as well,” says our anonymous CISO. “If, for instance, a new project is going to introduce new risk, then
the budget for its security controls needs to be included in the budget
for implementation. This is hard, but needs to be the goal; if not,
you’re implementing controls for last year’s problem,” he said.
“It does sound like a cliché,” adds Lane. “But security managers often have no idea how to justify their budget as a positive for the company. Their budget requests read like a disaster recovery manual. They simply don’t have the skill to speak the language of their peers,” he says.
That’s not a gap in presentation skills, but a failure to adequately prepare, Lane adds. And there are quick ways to fill it: Security managers need to understand what other operations and new initiatives are taking place within their organization. They need to listen to upper management and understand what they are trying to accomplish. “Have you researched what similar companies have done to solve problems you face? Have you met with your peers to understand what they are trying to accomplish, and maybe have them back your requests?” asks Lane.
The next time a budget item doesn’t get approved, rather than cursing management for their not understanding, check your preparation and your argument and make sure you make the best case possible next time.