Have you ever wondered why the chief information security officer or head of information security is often ostracised by the CFO/CIO/CEO during the budget allocation period?
At best, the CISO often walks away with the crumbs or leftover budget. Why? Is it because information security has a budget-busting reputation? Does information security fail to do a good job in demonstrating value or return on investment? Is the typical head of information security lacking an understanding of technology and management's expectations?
Regardless of the reasons, put bluntly, the information security department is frequently seen as a ‘money bleeder' and thus, is a frustration for the CFO/CIO/CEO.
Let's face it, the bottom line matters and in today's ‘cliff and ceilings' environments, every company, big or small, is looking to cut its budgets. The information security budget, if it exists, is often among the first at the altar of fiscal sacrifice
Fortunately, the CISO can still do a lot with little funding. The below six points are ways CISOs can successfully work with a limited budget:
1. Implement a management framework. If budget is a concern, begin by aligning all existing projects, tools and controls to those set out by the respective frameworks. Among many (including ISO 27001) two frameworks that can be easier to adopt and align with include:
(a) Either a risk management framework (RMF) such as Management of Risk (M_o_R) or ISACA's Risk IT (this is available as a standalone framework based on Cobit 4.1 and is also integrated into Cobit 5). A RMF is critical to an organisation's bottom line, and creating a framework to manage risk will allow the security department to manage and highlight exposed and unmitigated risks. This approach often ends up influencing top management to take notice and, hence, take action
(b) Cobit 5, is a framework created by the non-profit, independent ISACA to improve the governance and management of enterprise IT (GEIT). Its implementation allows managers to bridge the business and IT gap.
2. Use what you have. Often over-zealous or simply ignorant predecessors have spent large sums on hardware, software and systems that never get used (often called vapourware or tins). Despite all urges to throw the useless ware away, attempt to negotiate with the vendor to come in and demonstrate value, and drop its support charges. Give your requirements to the vendor and request that the vendor meet as many of them as possible. No vendor wants to lose an existing client.
3. Market information security. Avoid spending thousands of pounds on a limited number of training days. Instead, arrange for regular awareness sessions and/or open information security days where you can provide brief talks and presentations with a prize draw to attract the maximum audience.
4. Invite vendors to give demos of their products to the masses. This is even easier if the vendor has not yet got a foothold in your company, and it is very useful for you, as you get to do a 'requirements analysis' (albeit high level and non-scientific) cheaply.
5. Detail both technical and business requirements around a significant information security risk before attempting any project request or initiative. That way you know that your project will help fulfil a requirement.
6. Never say no. Do not deny a request to increase security just because there is no more money in the pot. Review the above five points.
Yes, budgets are necessary for tools, systems and, most importantly, hiring good people. However, if you are aware of one or more business-impacting and as yet unmitigated risks, carry out a formal risk assessment, using ISACA's Risk IT framework (covered in Cobit 5) to build your case and increase your budget.
The more CISOs can prove a business need for information security, the higher the budgets are likely to be.
Amar Singh is a member of the ISACA London Chapter Security Advisory Group and CISO of News International