Spending Shortfall
Despite threats of hacking and cyberterrorism, security spending remains tight
One way for security managers to improve their chances in budget meetings is to approach management with company-specific metrics to help justify security expenses. For example, a quick E-mail survey of employees will show what they know about the company's security policy. If only 30% of employees have adequate security-policy awareness, it will be much easier to justify a training budget request, Radianz's Hession says.
The chief security officer at the manufacturing company contends that his company would recoup the $15,000 it would cost for a couple of half-day security-awareness seminars, an occasional article in the company E-mail newsletter, and awareness videos for new employees, because it would reduce the chances of a virus attack. "I do my best to justify the expenditures, explain the potential return on investment, but ultimately it's their money and network," he says.
Emphasis on security comes from the CEO, Ryder's Vital says. |
Blaming accountability is an "easy out," says Eduardo Vital, executive VP of information technology services and CIO at Ryder System Inc. Security managers may have "failed to make a compelling argument or maybe they didn't articulate the business case strong enough," he says. "If you go to management and say, 'If you don't invest X dollars, our risk for this happening is Y,' and management says they can live with that risk, you've then made them accept the responsibility."
The manufacturing company's chief security officer hopes he'll get the justification he needs to bolster security spending next month when a business partner arrives to discuss the two companies connecting their networks to support real-time inventory and production. Upper management has "no idea what they're in for. They asked me to write a report explaining the security we have in place. But I know they're going to have a penetration test team go through our network and test for vulnerabilities, and when they do, they're not going to decide to connect with us. Then, I'll get the funding I need." The manufacturing partner company is worth 15% to 20% of his company's annual revenue. He says, "Next month is coffee-smelling time for my boss" (see "In Lockstep On Security," March 18, p. 38).
Much of the success in getting a reasonable security budget depends on the corporate culture. "Our chairman Gregory Swienton is very proactive," Ryder's Vital says. "When security importance comes down from the chairman, that sets the tone."
The chief information security officer at a midsize food-processing company agrees. It's barely a year since the creation of his position after the company was hit by both the Code Red and Nimda worms. Before that, security budgeting was haphazardly managed in each department. "Spending and acquisition and technology decisions were all over the place," he says. Departments had different types of firewalls, intrusion-detection systems, and access-control mechanisms. Everyone seemed to be doing the right things, but "together the pieces didn't add up," he says.
Not only did disparate security tools hurt the purchasing power that the company could get from standardizing on a single vendor, but hidden costs drained its security budget: Different administrators trained on different firewalls and intrusion-detection systems and the disparate sign-on and network and applications made it "almost impossible for us to terminate employee access rights" when they left the company, the security officer says.
By centralizing security decisions, companies avoid the shotgun approach and they learn how to best spend their budgets, Vital says. But once companies have the right firewalls, user authentication, and intrusion detection in place, executives must make sure they're monitoring their effectiveness. Many companies invest and then don't do the ongoing monitoring and assessment of their security programs, he says.
Some businesses, establishing companywide security-spending policies for the first time this past year, have decided to outsource part of their security, such as firewall and intrusion detection. The CIO at a major minerals producer says last year was the first year his company formalized its information security. After scrutinizing the cost of managing firewalls and intrusion-detection systems around the clock, it became clear it couldn't afford to keep the job in-house. That would have cost $1.7 million annually, while the cost of outsourcing those services came in at $400,000. "I'm still leery of handing over the keys to the kingdom, but financially it's a no-brainer," the CIO says. He's pleased with the results so far: "I'm getting security reports I could only dream about before."
Companies often see security measures that reach beyond employees and internal IT systems, such as authenticating partners, customers, and suppliers to their network, as revenue protection. Business becomes more efficient when partners can connect electronically for real-time business transactions. The only way that can happen is with sound security policies, authentication, and identity management. "The spending on external security measures doesn't drive bottom-line revenue, it protects revenue. And that's a harder sell even though it's necessary," PricewaterhouseCoopers' Lobel says.
Both Lobel and Radianz's Hession have this advice to security officers hoping to fund projects: Piggyback security spending on top of other large IT expenditures. "If a company has a $10 million E-commerce rollout, it's much easier to tack onto that $600,000 in security spending than to try and justify that type of expenditure by itself," Lobel says.
Corporate security is dynamic. Executives can't make an investment and think they're set for the next three years, because new vulnerabilities always come up. Once security executives think they've spent enough on security, they may be opening the door for trouble.
About the Author
You May Also Like