Making a case to the board
- Article 14 of 33
- SC Magazine, January 2009
Justifying security spend in tough times is a hard sell. So, avoid complex ROI arguments, focus on risk and steer clear of jargon. By Rob Buckley.
Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages
Gartner analyst Tom Scholtz says that security budgets won't be exempt. “Security officers should proactively risk-assess their planned project portfolio and identify projects that can be postponed with limited impact. Opportunities for cost cutting should be identified.”
But any cuts to security will increase risk – and managers need to agree that this is acceptable, purely to achieve short-term cost-cutting goals.
STRICTLY LEGAL
Developing a budget and justifying expenditure on security is something Jason Petrucci has considerable experience with. After working in various corporate law firms as well as PricewaterhouseCoopers, he has been director of information technology for corporate law firm Lawrence Graham for 18 months.
“When I arrived, I performed my own ISO 20001 assessment of the firm and then brought in various companies to do some analysis work for me,” he says. “It became apparent very quickly that we had a number of risks, not only from the IT security perspective but operationally as well. So we set about the task of identifying those risks and putting a plan together to mitigate them.”
Petrucci joined the firm after the budget for the year had already been approved, so at first had to work with the money available. After identifying through his audit what projects he deemed necessary, he prioritised them. “We've never had a structured budget process in place: there's been no justification around expenditure. What I went about doing was looking at the business in terms of where it wanted to go for strategy, identifying particular areas of need, particularly in terms of client communication and services, then putting together a strategy for the business.”
Petrucci says that it was critical for him to understand the business, how its lawyers operate and then find technical solutions that fitted their way of working. He focused on three areas: the lack of security skills in-house, which prompted him to propose outsourcing various functions to managed services provider Vistorm; training, to raise the level of in-house skills; and introducing secure remote access technologies to enable lawyers to work while travelling.
Petrucci then had to justify his investments to the managing partner. “If I were reporting into a COO-type function, I might have put together a risk matrix. But from experience, if you start to describe solutions for the business in technical speak, you lose people in the first two or three minutes. I put together a very short paper on the current status and the risk associated with the way we operated. Then I sat down the managing partner and explained the risks. I compared us to what our peers do and showed that we were behind the times. It isn't an ROI model: it's about reputation and risks.”
Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages