Chief security officers used to be able to get the funding they wanted for critical IT security projects by using newspaper clippings detailing security failures that cost other companies millions of dollars.
Those were the good old days, IT security managers said at the Cyber Security in the Financial Services Sector Summit last week. Budgeting for security today is a lot more complicated.
"Responsibilities are increasing, the time pressures are increasing, and we're under increasing legal and regulatory pressures. The only things that are not increasing are our funding and staffing levels," said Gene Fredricksen, vice president for information security at Raymond James Financial Services Inc. in St. Petersburg, Fla. "It requires us to rethink how we budget. The old fear, uncertainty and doubt model doesn't seem to be working anymore. We can't scare our senior management into giving us money."
But that doesn't mean that senior executives aren't interested in security, other security managers said. On the contrary, many senior executives and corporate boards with control of corporate purse strings are simply demanding more information on the elusive return on investment and overall business benefit of incremental increases in security spending.
"I need to get [my board of directors] to calm down," said Dave Cullinane, chief information security officer at Seattle-based Washington Mutual Inc. The new regulatory environment is affecting IT security priorities more than anything else, he added.
However, "I do find myself more and more trying to show [the board] that there is a valid [ROI]," he said. "As of Jan. 1, I have to start quantifying losses so that I can build a two-year and a three-year database, so that in 2007 we can decide how much money to set aside to cover [those losses]. So I'm not having much trouble convincing senior management. I'm having much more trouble trying to figure out how to do [ROI] the right way."
Good luck, said Bruce Moulton, vice president of information security business strategy at Symantec Corp. According to Moulton, calculating an accurate, meaningful ROI for security "is out of reach." Because of all the unknowns that must be taken into account, ROI simply can't be calculated reliably, he said.
Moulton also noted that budgets are tight and spending must be done selectively. And that might have security architecture implications, he said.
"We might end up protecting some things and not protecting other things," said Moulton. He added that some companies may find themselves partitioning their networks into protected data and "sacrificial" data based on prioritized spending.
David Furnas, senior enterprise security engineer at Leicestershire, U.K.-based Deltanet International Ltd., said it's crucial to win senior management's confidence that spending requests aren't going overboard.
"It's important to set their expectations such that you're not going to them with pie-in-the-sky requests that are completely off the mark based on your business needs and based on the regulatory environment in which you have to operate," said Furnas.