Scare tactics no longer guarantee security funding

Chief security officers used to be able to get the funding they wanted for critical IT security projects by using newspaper clippings detailing security failures that cost other companies millions of dollars.

Those were the good old days, IT security managers said at the Cyber Security in the Financial Services Sector Summit last week. Budgeting for security today is a lot more complicated.

"Responsibilities are increasing, the time pressures are increasing, and we're under increasing legal and regulatory pressures. The only things that are not increasing are our funding and staffing levels," said Gene Fredricksen, vice president for information security at Raymond James Financial Services Inc. in St. Petersburg, Fla. "It requires us to rethink how we budget. The old fear, uncertainty and doubt model doesn't seem to be working anymore. We can't scare our senior management into giving us money."

But that doesn't mean that senior executives aren't interested in security, other security managers said. On the contrary, many senior executives and corporate boards with control of corporate purse strings are simply demanding more information on the elusive return on investment and overall business benefit of incremental increases in security spending.

"I need to get [my board of directors] to calm down," said Dave Cullinane, chief information security officer at Seattle-based Washington Mutual Inc. The new regulatory environment is affecting IT security priorities more than anything else, he added.

However, "I do find myself more and more trying to show [the board] that there is a valid [ROI]," he said. "As of Jan. 1, I have to start quantifying losses so that I can build a two-year and a three-year database, so that in 2007 we can decide how much money to set aside to cover [those losses]. So I'm not having much trouble convincing senior management. I'm having much more trouble trying to figure out how to do [ROI] the right way."

Good luck, said Bruce Moulton, vice president of information security business strategy at Symantec Corp. According to Moulton, calculating an accurate, meaningful ROI for security "is out of reach." Because of all the unknowns that must be taken into account, ROI simply can't be calculated reliably, he said.

Moulton also noted that budgets are tight and spending must be done selectively. And that might have security architecture implications, he said.

"We might end up protecting some things and not protecting other things," said Moulton. He added that some companies may find themselves partitioning their networks into protected data and "sacrificial" data based on prioritized spending.

David Furnas, senior enterprise security engineer at Leicestershire, U.K.-based Deltanet International Ltd., said it's crucial to win senior management's confidence that spending requests aren't going overboard.

"It's important to set their expectations such that you're not going to them with pie-in-the-sky requests that are completely off the mark based on your business needs and based on the regulatory environment in which you have to operate," said Furnas.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about CullinaneRaymond James FinancialSymantecWashington Mutual

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Dan Verton

Latest Videos

More videos

Blog Posts