Information Security Budgets - Pragmatism and Credibility

There’s a lot of advice out there on how best to deal with security budgets in the current recession hit times. Most of it is pretty uninspiring. A blog from Jeff Bardin links off to a plethora of open source and free tools. A nice idea if you’re starting up and have people with the technical knowledge to make the most of some of the listed products, but not really a practical suggestion for a mature corporate network having a hard enough time dealing with the technology already in place. However, at least Jeff is trying to be pragmatic.

On the other hand, there ‘s a dreadful article at CIO.com entitled “How to maximise your security budget” where the author, Ansh Panaik, provides 5 tips including knowing where policy violations exist will eliminate or reduce the extraneous costs of a data breach, fraud, or cybercrime. I really have no idea what he’s talking about.

Ravi Char blogged some suggestions at “Musings on Information Security” where, amongst other things, he wrote: this is a good time to have conversations with cross functional teams

and educate them about your services and solicit feedback on how to do

better. This is a great point and fundamental to developing credibility within the business.  I would add to make sure that you then follow through on what you say you’re going to do. It’s also worth quoting here from Mike Rothman‘s excellent book, The Pragmatic CSO, which states once you are credible and invited to the table, you’ll be able to get security built into key project initiatives and paid for out of their (i.e. other departments) budgets.

It’s easy to come up with a quick scratch list of money saving ideas but you can’t re-engineer the business for the sake of the information security program. It’s all very well saying things like “move to in-the-cloud services” or “change to using open source tools” but such actions are projects on their own that require planning, resources, and budget to execute.

Fundamentally it comes down to the fact that everything in the security plan is there because of risk. If budgets are slashed to the extent that some of those tasks can no longer be performed then it’s a business decision as to whether or not to live with the risks. Don’t fight the business but provide the right advice and recommend appropriate and pragmatic solutions. Nothing will make you lose credibility faster than becoming territorial and defensive over the security budget when others are losing their jobs.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Great discussion, and I'd like to add as possible. I like to pass along things that work, in hopes that good ideas make their way back to me. Data breaches and thefts are due to a lagging business culture – and people aren’t getting the training they need. As CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices. The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html - The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action. In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a breach.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close