“It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity…” Charles Dickens, A Tale of Two Cities
Given the state of budget discussions in Washington and the fact that at the time I am writing this we are in the midst of the first government shutdown since President Clinton’s first term, this quote seemed not only appropriate, but spot on.
Budget discussions are a tricky thing and can create a great deal of angst when you have more than one party competing for a finite dollar amount. These deliberations are not the domain of the government alone, tough budget discussions take place every day across businesses, non-profit organizations, academic institutions and on the home front. And, because budgets are at the forefront of everyone’s mind at the moment both due to current news cycles and that it’s the time of year when everyone is pulling together thoughts and priorities for 2014, it seemed logical to take a look at budget discussions for security.
If you’re worried you’re about to get the hard sell on why you should be buying security solutions from my company, rest assured, that is not the case. What I am asking you to do is be honest with yourself as to the current state of your organization’s security as you are preparing your security budget for 2014. Ask yourself tough questions and make sure they are answered.
Here are five questions you should begin with today:
1. Are my most important organizational assets receiving the right level of consideration and attention when it comes to security?
2. Do my current security practices guard the organization from exposure to compliance and other regulatory risks?
3. Is my current security infrastructure able to adapt to the changing landscape of threats and vulnerabilities?
4. Are my security priorities properly aligned with the organization’s goals and objectives?
5. Does the leadership team at my organization have an appreciation for security and what is necessary to keep its most important data assets safe?
You will notice that there is a mix of both technical and business-oriented questions contained in my top five. And it’s likely that you may not know how the leadership team feels about security. Well, as both a security professional and a CEO, I’m here to tell you that it’s part of your job to know. You have to be responsible for educating company leadership as to the state and needs of security so that you can align business priorities with security capabilities.
While I’m not suggesting the technical element is easy, I do believe that most security directors and administrators would prefer to navigate that portion of the security equation rather than deal with the business side of things. Because IT/security pros tend to look at problems logically, they are able to evaluate and systematically work through an issue and eventually land on the correct technical solution. It’s the organizational issues that tend to trip them up and leave them wanting for additional budget and resources to properly handle the company’s security demands.
About 15 months ago we released a study (PDF) that highlighted a disconnect between CEOs and the security leadership within organizations. Now I understand that 15 months is a lifetime when it comes to technology, but my observations tell me that not much has changed during this period. While you can read all of the findings at your leisure, I will say the shocking stat was that while all CEOs indicated that security was a top three priority in their organization, 36 percent of them never received an update from their CISO or senior IT manager in-charge of security.
This is not driven by a lack of interest, but rather a lack of understanding. Technical people tend to explain things in technical terms while business leadership always looks through the lens of finances and risk. The two languages tend not to align and the failure to adjust could lead to either cuts, or the denial of funds needed for critical security projects in your next business year.
I’ve written fairly extensively on this topic over the last couple of years and the following passage really outlines the issue pretty clearly: when I speak with other CEOs on the topic of security, they often voice their frustration that those leading the security practice within a company struggle to communicate concisely what the threats are, how they affect the business, the potential for loss, and whether or not investments made in security are actually paying off.
When CEOs ask for updates from other members of executive leadership, they generally receive a pretty clear report on the state of the business. Take the CFO for example, when asked to report on the financial state of the business, they will produce a P&L or a balance sheet that clearly articulates the most important information in a manner that has meaning and substance to everyone at the table. Ask a CISO and you are likely to receive a report that varies greatly from organization to organization and in many cases, doesn’t tie the issue of security to the business very effectively.
So as you set forth on the path to establishing your security budget for 2014, remember that receiving the budget that allows you to do what is needed from a technical standpoint often begins with a business discussion. You have a lot of competition for those budget dollars and the ones that can make the best business case to the C-Suite are most likely to come out on top.