Xerox takes information security pretty seriously. It regularly conducts network vulnerability scans, as well as corporate audits of its risk mitigation efforts. A compliance program buoys employee awareness of its security processes -- as well as its disaster recovery, information privacy and Sarbanes-Oxley Act policies -- and an executive board champions adherence to them all. Meanwhile, the security budget at the U.S.-based company is holding steady compared with last year, even as its other IT spending is down.
And yet, as Xerox Chief Security Officer Audrey Pantas says, "you never get as much you'd like -- you could always do more." And that sums up the mind-set surrounding IT security at corporations today: No matter how much money you pour into it, you'll always need to go back to the well.
With growing threats, increased regulations and plenty of media coverage when incidents do occur, executives have never been more aware of the importance of IT security. At the same time, spending fatigue may be creeping into the boardroom, as CXOs increasingly look for the business value earned on the security dollars spent.
"Senior management knows there's a problem, but it seems that every day the problem gets worse, and it's like there's no end in sight," says Robert Charette, director of the enterprise risk management and governance practice at Cutter Consortium, an IT consultancy. "There's the feeling that they could give security every single penny and it still wouldn't be enough."
To keep the security budget from looking like a black hole, you need to articulate the value of the money being spent. Here are some do's and don'ts for doing just that.
Don't Use Scare Tactics
Every day, it seems, a story emerges about a backup-tape theft or compromised customer data. But don't overuse these incidents when seeking to justify your funding requests. "CXOs can become desensitized or jaded if they hear too much about reports that they don't think affect them," says Christopher Bomar, founder of Boomarang, an online data-backup service firm.
"FUD has been used up," agrees Mark Rhodes-Ousley, an information security architect and author of Network Security: The Complete Reference (McGraw-Hill Osborne Media, 2003). "So many people have cried wolf that executives are inured to scary stories."
You might, however, consider using recent security incidents to shed light on your company's needs. For instance, you can send out regular e-mails that put news stories into perspective and show how they apply -- or don't -- to your business, says Bob Dehnhardt, network and information security manager at TriNet, a human resources services firm. "You can use these incidents as an opening, but back them up with a strong business case," he says.
For instance, when a report comes out about backup tapes being stolen, point out what happened to the company's stock price on the day the story broke, says Gary McGraw, chief technology officer at security consultancy Cigital and author of Software Security: Building Security In (Addison-Wesley Professional, 2006) .
Do Use Horizon Planning
Instead of asking for funding several times a year, project the security costs that need to be incurred over a 12-to-24-month time horizon, Rhodes-Ousley says. "CXOs can swallow that more easily," he says. "If you say you need certain things next year, you can get funding more easily than saying you need something now."
At Xerox, Pantas develops a three-to-four-year strategic plan for the company's security efforts and then prioritizes which of those projects to pursue in the ensuing year. "I do work off an overall strategic plan on where we want to take security," she says.