7

A common problem when working in large organizations is securing funding for a security program. These programs compete against other business units and various business objectives for funding which creates a common scenario where the security team has to compete for funds within an organization. Given this scenario what are some of the most effective methods, formal or informal, for helping a security team compete for funding within an organization?

Note: I'm not looking for general sales ideas, tips on keeping costs low (I already get that), or fear based methods if they can be avoided. I'm looking for specific examples of what seems to actually be effective right now in the current business climate across all types of medium to large organizations and information that may be useful to help other security teams fund their own projects.

References or recommendations to books or other items are welcome if they have proven to be effective in this manner.

Additional context: This is not for a particular scenario or goal nor is there a need for a specific line item budget (people, hardware, other). I'm looking for tips which would help security teams at ALL organizations, especially underfunded ones, be able to secure funding for their respective security teams (all sizes). It's ok if the answers are scenario specific but I'm more focused on what is helping security teams get funding other than security events (getting hacked) or compliance requirements (required spending). In other words, what works on getting companies to do the right thing security-wise when in some respects they are not otherwise compelled to do so or when they may have other pressing budgeting needs.

Another way to look at this question: Most companies are focused on short-term gains and generally when looking only at short-term gains and short-term needs security can appear to be an unneeded expense that may be reducing a marketing budget (or whatever) to some organizations. I'm looking for discussion points which help nudge a company to choose to spend more money on their long-term needs even when there may be no perceived short-term economic gain from doing so.

Anders
  • 64,406
  • 24
  • 178
  • 215
Trey Blalock
  • 14,099
  • 6
  • 43
  • 49
  • 1
    Devise reasonable project which addresses specific threats, including, ransomware, insider threat, data confidentiality etc. Make one project per issue. For example, if WiFi is unsecure or not available, propose that wifi will boost productivity, but then you need funding for executing it because wifi is by default insecure. If it's there and insecure, raise the point. – Aria Sep 22 '16 at 15:04
  • I think this question could benefit from more context. I see you said a security team. Are you looking for funds for equipment, personnel, time to do things right, ability to require more of the software developers? I think that defining a specific example context might help with an answer. Also is the security team small (1-2 people) or are there dozens of folks with a team leader? – 700 Software Sep 22 '16 at 17:04
  • It is possible that this should be asked on Workplace Stack Exchange. I imagine that much of the answer applies to non-security teams trying to compete as well. – 700 Software Sep 22 '16 at 17:05

2 Answers2

2

Compliance and regulations which are show stoppers to a business operation.

Past incidents of security issues.

Davis
  • 49
  • 3
0

In general there are going to be 2 distinct classes of responsibilities that security folks could be funded for.

One class relates to compliance, audit, and other sorts of often theatrical assurance activities, sponsorship of which is often seasonal and administrative.

The other class are actual security activities and practices, which vary greatly by organization and business type but generally should be focused on risks to areas of core business value.

The reason for making this distinction is that security teams interested in doing the latter sorts of work (actual security work) often mistakenly operate in an autonomous fashion, with an detached engagement model that is only suitable for the former kinds of duties.

The best champions for security folk who want to do actual security work will be other teams with line responsibilities. Somewhere in the bellies of those beasts will be real risks that real managers fear are being inadequately addressed, with control points that allow for real contributions.

Being part of and contributing to the day to day value conversation is vastly superior to acting as an internal provider offering services that have to be pitched and sold and advice that is context free and never followed. Context free advice is only appropriate in theatrical settings, and should be difficult to find funding for.

Jonah Benton
  • 3,359
  • 12
  • 20