Developing budgets that make sense, support the mission of the enterprise, are thoroughly justified and garner the support of the C-suite is a challenge that security executives have faced for ages. Why is this the case? Is it that the C-suite doesn’t recognize the importance and value that an effective security program provides to the enterprise? Is it because security executives have not done an effective job of developing and documenting the inherent value to the enterprise of an effective security program?

Budgets Must Cover Key Risks Create an Appropriately Secure Environment for the Enterprise

Budgets must effectively and efficiently support a security program which provides the following minimum capabilities:

• Identification of risks and threats to the enterprise
• Ongoing intelligence-gathering on emerging risks as well as changes to current risks and threats
• Formation of options and solutions to eliminate, mitigate or transfer risk
• Effective measure involving the protection of personnel, physical assets and information assets
• Creating an environment where employees can:
• Perform the tasks they are responsible for without having to spend time concerning themselves about their personal safety
• Securely access information as well as be confident of its integrity
• Be confident that physical assets they require to do their job are intact and there to support the mission of the enterprise
• Compliance with laws, regulations, insurance requirements and industry standards
• Supporting company policy and values, as well as management and employee expectations

If the points provided above are the foundation for your security program, you are headed down the right track. Now, you need to develop adequate support for your budgetary requests. How does what you propose support the goals and objectives of the enterprise? Where does your program stand from a maturity model standpoint (are you at the ad hoc level, or do you have a program that is a leader in your sector or across sectors) and where does management want your program to be? How good is good enough to your executives and the board? How does what you propose to do compare with what others are doing in similar-sized enterprises or at least those in your sector?

Reconsider Your Spending Time Table

On another budgetary front, I routinely have discussions with senior security executives about the all too frequent dilemma that seems to be a recurring event when an enterprise has had a less than stellar fiscal quarter. The C-suite sends out a message that earnings were not in line with expectations and every function is expected to pony up savings to reduce the enterprise’s overall spend. Most security executives tell me that they hold a sizeable portion of their annual spend until later in the year. They say they do this in case something comes up that wasn’t planned for and they must respond to it.

I always recommend that you do as much spending in the first quarter as possible. If you get that notice to make cuts after the first quarter, your future quarterly budgets are then typically based on what your first quarter spend was minus whatever percentage they need to cut... you will generally end up way ahead of the curve with this approach, and your security program won’t suffer. And, by the way, if something unplanned comes up later in the year, you do what every other function in the enterprise does... you request additional funding to deal with the issue at hand.

Please send me a note about what kind of budgetary nightmares you experienced. I also would like to know if you have adopted the philosophy of putting your heavy spend into the first quarter.