We’ve all been there. It’s annual budget time and we are told that belts are tightening and we have to cut costs. Where does the finance organization look first for savings? That’s right, to the functions within the organization who do not contribute directly to the bottom line.
So what is a security professional to do when you are already operating a lean organization, you are protecting your company’s assets the best you can and you still have to perform better with fewer resources? This article explores a few options for helping you meet the financial pressures of the organization while not going outside of the risk tolerances set by your management team.
Yes. Your organization’s security risk tolerance. Step one in the security budget process is to understand that it’s really not your budget that finance is thinking of cutting. It’s not your risk that is going to be increased if activities that mitigate those risks are cut. Both the risk and the budget belong to the entire enterprise, and it is the business mission and goals of the organization that are at risk in this conversation.
Remember, in our feature article titled What is Enterprise Security Risk Management (ESRM) and How Can Your Organization Benefit From Taking This Approach To Security? (Link), we explored the idea that:
… the security professionals and the asset owners share security responsibilities, even though all final security decisions are the responsibility of the asset owner — the people whose assets are being protected and who, as the owners of the exposure usually also own the budget to protect the assets.
So before you can defend a security budget position, it’s critical that you understand and have some executive agreement on the level of risk the company is willing to accept.
In a previous article (LINK) I wrote about how best to communicate security risk to executives. In that article you will find some ideas for how to understand your company’s acceptable security risk profile. Once you have an understanding of which security incidents your company cares most about mitigating and which resources they consider most critical to protect, you have the beginnings of the conversation about the required budget.
Avoid the knee-jerk reaction to "cut your budget"
Being told to “cut your budget by 20%” can shock any functional leader. Our natural reaction is to deny the possibility, to say we cannot possibly do that and to try to find a way to avoid the cut if possible. But if this request is made of you at work, instead of saying “no,” try saying “yes.”
One workable approach is to say “Sure, let me see what I can do. I’ll get back to you in a couple of weeks.” Did you just promise finance you’d cut your budget by 20%? No. But you clearly communicated that you will look into the request and find potential ways to meet that request.
The willingness to engage in the exercise and look into what can be done sets you up in a willing partnership to find savings. You should be mindful that the money being spent is being spent for a reason — to protect company-critical resources. You cannot simply reduce those protections without thought and examination and agreement from the business executives who set the risk tolerance in the first place.
Who "owns" the risk exposure when security is cut?
The main reason that neither you nor the finance organization is in a position to agree to a cut in the security budget is that neither of you is the owner of the risk. The security risk is owned by the business owner of the resources that are going to be exposed to loss if the protections placed on them are altered.
While it’s entirely possible that they might find the additional risk acceptable, they cannot be left out of this conversation. As the security leader that they are relying on to manage their security risk, it’s critical that you engage them in the conversation.
Tying your budget to resource protection and risk mitigation activities
With the assumption in place that you have been working with your business partner on understanding their critical resources and their capacity to tolerate risk, there’s an exercise that you can do with your team that will help with the security budget discussion.
First, understand all of the mitigating activities that are performed across the enterprise, what the risks are that they are mitigating and what resources are being protected.
Next, ask the person in charge of that activity what would happen to the level of risk to the resource if they were to cut the mitigation by 10%, 20% and 50%. At a 10% cut, can they still provide the same protections? What about 20%? If not, what is missing? What is the exposure? What abou 50%? At what level do you reach the likelihood of an impact to the level of risk mitigation that you have agreed to with the business owner?
Once you and your team have an understanding of the potential impacts of cuts, it is time to engage the business owners of the impacted resources to see if they feel that the decreased level of risk mitigation that accompanies the cuts is acceptable to them. If the answer is yes (at any of the levels), that they as the leader of the function that is exposed to the risk are ok with the change in their risk profile, then making that cut to the budget is a business decision that you can report back to the financial team. Easy enough.
If, however, they are not OK with the potential business exposure that they incur with a decrease in security risk mitigation activities, then it is as a partner team that you can go back to the budget team and explain the need to either not cut, or reduce the requested amount of the cut, and you will have the backup of the business leader who can explain the real, tangible impacts to the business due to the requested cuts.
When you take this approach, it allows you to show the budget team that you have “done your homework,” that you and your business partners have looked at the real impacts of cuts, and that you are not simply defending the status quo for the sake of not losing your department’s funding. This approach shows that you are being a careful steward of the funds you are given on behalf of the organization, and that it is your business partners, in fact, who are asking that the organization spend the money.
Most critically, though, in this situation, it is neither you nor the finance department who are making these business decisions about risk — it’s the impacted business leader.
The security budget decision / outcome
It’s important to note that this approach may or may not result in a budget cut. You and your business partner may find that higher-ups in the organization, understanding the potential impacts, still choose to ask for cuts. It may be that a different level of budget cut is made, leaving the mitigation plan reduced but still somewhat in place.
Even so, however, this is a more successful outcome for the security function because the exercise has framed the discussion in business terms, and the expectations are set and have been communicated to all decision makers on the new level of risk exposure and expected potential impacts due to the lessened level of protection available.
Why is this better? Ask a business leader if they are OK with risk? The answer will most likely be yes. Now ask them if they are OK with surprises? This approach to the security budget cut conversation will at least ensure there are no surprises, and that with all participants fully informed, there is no need for the “blame game” that could otherwise ensue.