After working as an in-house security manager in the financial services industry for many years, I recently moved to consulting work. This will give me the opportunity to work in a variety of industries (my current contract is with a company in the health care industry) and projects.
I've spent the past few days thinking about the many issues I face, trying to decide which one to discuss in this column. In the end, it was an easy decision: extortion. I'm not talking about preventing employees or outsiders from stealing funds. I'm referring to my ability to "extort" appropriate funding from management.
There are less-cynical ways of looking at the budgeting process, but my experiences over the past few years at different companies have made getting blood out of a stone look simple in comparison.
Many security managers labour under the misapprehension that the budget process consists of working out how much you need, spending a few weeks coaxing your figures into the bizarre formats that the finance people require, then defending your important projects in meetings. But my successful budgets have been the result of a different process -- one in which I laid the groundwork well ahead of time. Here are four steps I follow to obtain funding from that parsimonious corporate bean counter.
Make the business case
Start by going back to your security basics and calculating your risk profile. Determine the potential financial loss arising from each of your threats, and multiply that by the annualized percentage likelihood of the loss occurring to get the annualized loss expectancy (ALE). Then demonstrate how much your project will reduce the ALE -- and how much money it will save the company.
Assuming you have a sound business case, document this clearly, explain your reasoning in great detail, and then submit it to the finance people. It will get rejected almost immediately, of course, because no one in finance will understand a word of it. But don't worry; you have to go through this step only to show that you've done your homework and to lay the groundwork for more productive tactics later on.
Next, use fear, uncertainty and doubt to your advantage. FUD is the most important acronym to salespeople hawking IT security wares, and you are trying to sell your own IT security services to the corporate bean counters. Sow fear ("Did you hear about that hacker who broke into NASA? I hope that doesn't happen to us."), uncertainty ("Yes, I know we spent $500,000 on securing our network perimeter last year, but we need to make sure it's working.") and doubt ("70 percent of security breaches are internal. I wonder who the criminals are in our company?").
Sometimes this beginner's tactic works, but any chief financial officer who has been around the block a few times will blow FUD out of the water. Still, it's worth trying just to see what answers you get. You can always use those responses the next time an IT security salesperson comes calling.
Befriend your auditor
The next time you pass an auditor in the corridor, give him a big smile. These people write long-winded reports, and while no one reads the main text, everyone reads the executive summaries. Then these reports go on file, as do management's responses. Best of all, the auditors eventually check back to see whether management has addressed the issues the reports have raised.
While the threat of a hacker attack or a virus infestation makes the budget gods nervous, the thought of three years' worth of audit reports pointing a finger at their incompetence will give them night sweats. A scared budget-setter is a generous budget-setter, so your internal auditors are a major ally. The same goes for external auditors and your compliance team, too, if you're in a regulated industry.
So make friends with these people. That should be easy, since everyone else tries to avoid them. Then drop a few choice lines into the conversation like, "I'd really appreciate your opinion on our firewall setup." In no time at all, you'll have auditors crawling all over the areas in which you want to spend money. Six months later, senior management will get a report saying how dire the problems are in that area. Then, seven months later, you'll submit your budget request for money to address those issues.
Choose your allies
Every company has its alpha dogs, and they're rarely in IT. You may think that the CIO is at the top of the food chain, but in budget meetings, everyone complains to him about how much IT spends and how the helpdesk still can't sort out the small issues. This discussion invariably comes up just before his $17.5 million request to fund a project that even he doesn't understand properly.
The CIO has a hard fight, so you must look elsewhere to find your alpha dogs. In software houses, they're the salespeople; in investment banks, they're the senior traders; in pharmaceuticals, they're the research and development folks. Set up meetings with them and tell them what you need, using no more than two technical terms in any one-hour meeting. Then tell them what might happen to the company if security fails.
Three months later, when the budget cycle starts, submit your request to the CIO. He'll go into meetings expecting the usual beating, but this time the alpha dogs will be demanding to know why he isn't spending more on security. He'll have the answers on hand, you'll get your funding, and everyone will go away happy -- or as happy as anyone can be after a three-hour budget meeting.
So there you have it: the four key steps to budgeting success. Good luck, and remember to get started now. If you do, you may just be in time to get the money you need for next year. What what budget winning ploys work for you? Tell Gabrielle_Wheeler@idg.com.au
This journal is written by a real security manager, whose name and employer have been disguised for obvious reasons