Making a case to the board

• Article 14 of 33
• SC Magazine, January 2009
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages

Not all outsourcers are created equal, however, and getting the most from a contract and an outsourcer can be something of an art. Chris Coulter, a partner at law firm Morrison and Foerster, says that there are various strategies that can be employed, although trying to do too much ‘hardball' negotiating can lead to problems. “I remember a deal I did a few years ago that should have been straightforward. But there was a lack of trust on both sides.” The customer was unwilling to share data and the vendor upped the prices in case the customer was hiding problems – which it wasn't.

Instead, most savings are made in the long term. Clarifying whether licence costs are per seat, per year or over a department can avoid steep costs down the line in a vendor contract – as can the option to cancel maintenance costs later on. Benchmarking ensures outsourcers provide what is being asked of them. However, Coulter says that the contract must specify what is benchmarked and who will do the benchmarking. If it doesn't, many outsourcers will regard this as a gift. “It'll never end up being agreed” once the outsourcing is actually under way, Coulter says.

The fact that the economy is also in recession means that existing agreements with vendors and outsourcers can also be renegotiated if necessary, Coulter adds.

Security spending is rarely something that can be justified using simple ROI investments. It is far easier to justify in terms of mitigating risk. By prioritising those risks, budgets can be negotiated more easily and made to spread further, but only if it's expressed in a way the rest of the business can understand.

RECESSIONARY TIMES

CSOs can anticipate the risks of many events, but the near-collapse of the world's banking system probably wasn't on many threat lists. The initial reaction is that a recession means security spend will be cut, but others argue that while businesses will cut expenditure, security will survive since it's one area where there cannot be compromise.

Khalid Kark, an analyst for Forrester Research, says the answer will depend on the industry. “CSOs for financial services companies have seen their budgets cut pretty extensively. In other industries, I see a slow down.” But CSOs are mainly holding off on projects while they wait for the dust to settle. “Before this crisis, we surveyed security spending. It was going to increase from eight per cent of the IT budget to 10 per cent in 2009. That's going to be dampened a little bit, but I suspect there is still going to be an increase.”

The reason is the cyclical nature of security spending, says Kark. Typically, there will be a period of increased spending on security technology, followed by a period of digestion, then more spending. The last two years, says Kark, have seen that ‘digestion' period, so he predicts increased investment next year, on operational efficiency, and integrating existing sets of tools and technologies.

Adrian Davis, senior research consultant for the Information Security Forum, says security spend will need to be maintained in specific areas: as recession bites, there will be staff churn, more internal fraud and more disgruntled employees.

But spending also needs to be maintained for when recession stops. “Now is the time to look at technology as an enabler for the business to move forward after recession,” says Davis. He envisions small projects with security acting as an enabler. “Businesses want suppliers and customers to come in but not cause harm. They need to put in the tech so suppliers can hook up and know they can get orders.”

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages