The Yankee Group expects security budgets to increase in 2004. But companies will no longer spend for security's sake. The enterprise model for security decision-making has changed to include line-of-business managers.
The biggest discovery in this model is the shift in influence from technology decision-makers to the lines of business
Security product and services vendors once sold best-of-breed capability to expert security staffs. It was a pure sell of security for security's sake. The enterprise decision-making process for security has changed and security vendors must adapt to the new model.
Security vendors must now address three areas to win an account:
1. Security: The enterprise relies on the security team to evaluate and recommend security technologies and sources of specialised service expertise. In internal planning discussions, the security team examines risk factors to the business and anticipated costs required to reduce those risks.
2. Information technology: The enterprise looks to IT for cost-effective deployment strategies within the existing infrastructure; support strategies for users and application integrity; and required skills or external resources necessary to meet the business requirements. The IT team assesses the costs involved in managing the application and security deployments.
3. Lines of business (LoBs): The LoBs set the prioritised agenda for business initiatives, define business requirements and make the ultimate decision on application/IT security balances. The LoBs' concerns centre on revenue generation, customer account acquisition, individual customer satisfaction and quality of service.
Model Results and ConclusionsThe biggest discovery in this model is the shift in influence from technology decision-makers to the lines of business. We expect security budgets to grow in 2004, with actual budget allocations controlled by the lines of business.
Changes in sales and marketing behaviour for successful security practices are required:
Security teams no longer have central funding to try new technologies and easily champion new companies within the enterprise. Emerging security vendors have difficulty gaining toeholds in an organisation; larger incumbent vendors are more difficult than ever to displace.
Security vendors must work past enterprise security teams to get direct exposure to lines of business. The lines of business influence decisions most heavily. Security vendors must express their value in terms that are meaningful to business managers. Vendors and chief security officers must educate each other on how to best identify product and service capabilities with business needs.
CSOs are more conservative in presenting security vendors for approval. LoB managers that are not experts in security are more apt to be swayed by a vendor's reputation, with inherent confidence in its ability to manage a future problem should something arise.
Enterprises are forcing security vendors to consciously articulate benefits for the critical influencers, which include leading-edge security performance for the CSO; low-cost management and integration capability for the CIO; and preservation of business service confidentiality, integrity and availability for the COO.
Enterprises are shifting organisational reporting structures, budget responsibilities and decision processes for security purchases. Two of the three critical influencers of security products and services are being aligned to support lines of business.
Enterprise executives that have survived the expensive excesses of PKI, Y2K and IDS are wary of overhyped security claims. New security purchase decisions will need to map into corporate plans for supporting business goals in an easily managed manner.
— Involve your security team early in application selection processes. Security is integral to applications exposed to the Internet and seldom can be effectively bolted on after the fact. Have corporate security architects participate in defining requirements for new initiatives, evaluating vendor responses and evaluating acceptable business security trade-offs.
— Consider having CSOs report to the CFO or COO. Security organisations that report to CTOs or CIOs tend to prioritise according to technology or operational costs, respectively. Align with the chief financial officer or chief operating officer to better align security with spending from lines of business and integrate with business processes. Shift security metrics from ROI to reduction of risk (ROR) to better reflect security's contribution to the business.
— Make security organisations tin-cup internal users for budget allocations. This forces security to justify its existence year-on-year by showing value to lines of business (customer-focused), audit teams (regulatory and policy compliance) and IT (infrastructure-oriented). Security is important to the business and this is the most effective means of measuring internal benefits.
Eric Ogren is securities, services and solutions analyst for the Yankee Group (US).