Hey CISO, Your Budget is Killing You...

Tuesday, June 14, 2011

Rafal Los


Hey IT Security leaders, your budget it killing you... and it's not for the reasons you may think.

If you're like most Information Security executives you've struggled year over year to justify expanding, or at least maintaining, your capital and operational budgets.  

You've wrestled with justifying initiatives, programs, and security-driven innovation you want to implement to keep the company safer and lower the risk profile... but what you may not know is that the budget that you've been working so hard to grow may actually be secretly killing you.

If you've ever done time as a Chief Information Security Officer (or equivalent in your organization) then you'll know just how hard it is to expand, or simply maintain a budget. In many organizations the budgeting process eats up as much as 2 man-months of a CISO's time, and in the end it may be doing you more harm than good.  

Why? The answer to that lies in the expectation and formality that a budgetary process brings.

While not every CFO or financial organization tracks capital and operational security spend down to the dollar, the reason that CISOs go through that painful exercise is so that they can justify how much they're asking to spend to solve some security problems. These problems are ones the business presumably has...one would hope.

The budget is a double-edged sword - while you may get money to make your security magic happen, someone is going to hold you accountable for some measurable gains with that money.

Remember, I'm of the camp that says if it can't be measured, it didn't happen. So why is the information security budget such a lethal thing?  Let me explain...

First, a budget is a commitment in many ways for an IT Security Manager.  It requires significant amount of effort to orchestrate, plan, and get through the corporate budgeting cycle without losing it all.  

I know many CISOs who over-pad their budget by, say 20%, because they know the business will ask them to cut 20% off the budget before it's approved.  This way they still get all they want and nothing is lost.

This is a dangerous game. On top of the games that are played, it takes a lot of time and investment to try and plan out what your organization (IT Security, as it were) is going to be doing and spending money on for the next 12 months or so.  

Remember, the speed of business is often much faster than the speed of budget creation - this means that once you're purposed and received budget approval for that tape encryption project the big thing that comes up (say, software security assurance program??) doesn't get budgeted and approved until next year!  

There are more dangers, such as the artificial need to spend all your budget lest your budget for next fiscal year shrink... well you didn't need it all this year, maybe you can get by next year with less, right?

Next, beyond all the effort that is required to put a budget in place (let's ignore for a minute the fact that this is a huge distraction from what a CISO should be doing... which isn't budgeting!), is the operational land-mines that come with business decisions.  

Say you have an approved budget for your security department - but a month after it's approved your company announces it's going to be acquiring and taking over some large entity... how does that factor into your budget?

Does it crush all your hopes and dreams? Does it force you to try and place budget-re-allocation-bingo? Or are you simply out of luck hoping the business allocates money to 'security' for the integration effort?

We all know business can change directions overnight - sometimes twice before your morning coffee... how does a budget you set 12 months ago support that? I'll give you a hint, it doesn't.

So ultimately - what you're left with is a process a CISO (most CISOs anyway) dread that's largely ineffective because it forces you to stretch the truth, and read from a crystal ball or tea leaves and hope for the best. This isn't a way to run arguably one of the most critical parts of any business.

My suggestion?  Dump the budget.

Think I'm absolutely nuts? Probably, but that's besides the point... I firmly believe that a good CISO can run a business-focused security organization with only the budget necessary to pay basic headcount. Stay tuned... I'll tell you the secrets.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Enterprise Security Management Budgets Security Strategy CISO Information Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.