Information Security Budgets - Pragmatism and Credibility

There’s a lot of advice out there on how best to deal with security budgets in the current recession hit times. Most of it is pretty uninspiring. A blog from Jeff Bardin links off to a plethora of open source and free tools. A nice idea if you’re starting up and have people with the technical knowledge to make the most of some of the listed products, but not really a practical suggestion for a mature corporate network having a hard enough time dealing with the technology already in place. However, at least Jeff is trying to be pragmatic.

On the other hand, there ‘s a dreadful article at entitled “How to maximise your security budget” where the author, Ansh Panaik, provides 5 tips including knowing where policy violations exist will eliminate or reduce the extraneous costs of a data breach, fraud, or cybercrime. I really have no idea what he’s talking about.

Ravi Char blogged some suggestions at “Musings on Information Security” where, amongst other things, he wrote: this is a good time to have conversations with cross functional teams

and educate them about your services and solicit feedback on how to do

better. This is a great point and fundamental to developing credibility within the business.  I would add to make sure that you then follow through on what you say you’re going to do. It’s also worth quoting here from Mike Rothman‘s excellent book, The Pragmatic CSO, which states once you are credible and invited to the table, you’ll be able to get security built into key project initiatives and paid for out of their (i.e. other departments) budgets.

It’s easy to come up with a quick scratch list of money saving ideas but you can’t re-engineer the business for the sake of the information security program. It’s all very well saying things like “move to in-the-cloud services” or “change to using open source tools” but such actions are projects on their own that require planning, resources, and budget to execute.

Fundamentally it comes down to the fact that everything in the security plan is there because of risk. If budgets are slashed to the extent that some of those tasks can no longer be performed then it’s a business decision as to whether or not to live with the risks. Don’t fight the business but provide the right advice and recommend appropriate and pragmatic solutions. Nothing will make you lose credibility faster than becoming territorial and defensive over the security budget when others are losing their jobs.