I have been a student of security for nearly twenty years and have paid close attention to how certain security managers were able to secure scarce company resources to build their security programs while others were not. These are security managers in organization that had not yet encountered a major security breach or a similar "near death" experience.
To state the obvious, marshaling resources and support after a breach is easy, although it’s typically the next guy who gets to do this. No doubt this plays out over and over again in large companies—what we read about in the newspapers is certainly just the tip of the iceberg.
I like to ask clients about security spend using the Three Bears and porridge question: "How much are you spending on security—too much, too little, or the just right amount?"
Consistently, security staff responds with "too little" while executives answer with "just the right amount," or in moments of candor, "too much." What this question illustrates to me is the internal difference in the key question of resource allocation. Executives are asked to build companies by engaging in certain risky activities, while security professionals are supposed to identify information-based risk and present them to executive decision-makers. At that point, the risk appetites of the executives kick in. Should they address the risk by throwing scarce resources against it or simply accept the risk?
Security managers have the unique problem of obtaining a commitment from corporate leadership to defend against a vague and over-the-horizon threat. How do certain managers pull it off and others don’t? I laid out several ways savvy security managers can obtain support for their security spend without scaring the heck out of executives with classic Fear, Uncertainty, and Doubt tactics in my 2014 RSA Conference session, Getting Your Security Budget Approved Without FUD. The nature of the internal business justification—let’s call it the "sale"—was different from any normal selling process I have ever witnessed.
An example of this difference is one of using timing to capitalize on certain external events. The former Chief of Staff of the White House and current Chicago Mayor Rahm Emmanuel once said, "You never let a serious crisis go to waste. And what I mean by that it's an opportunity to do things you think you could not do before." No doubt sophisticated security managers are great at pointing to breach stories like Target and Home Depot and using that to pry resources from executives to expand their security budgets. This is unique to our industry, and plays out in organizations across the world.
On Oct. 29, I plan to delve further into the topic during a webcast hosted by the RSA Conference titled The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Resources. This session is a little more tactical (hence the title) than my earlier RSA Conference presentation. I’m going to discuss how savvy security leaders are able to identify ongoing activities at their organization that they are able to co-op or tap in to in order to further their security cause. What I’m focusing on here is the concept of leverage: Can the security group benefit from other departments spend in order to do the right thing and protect their organization? Believe it or not, but there are many examples of how savvy security managers have done this.
To highlight one example that I plan to discuss on the webcast, I’ve seen some of the savviest security managers use their corporate merger and acquisition process to gain security coverage for an acquired entity. For those that don’t know, companies spend tons of money on attorney fees during the due diligence and merger contracting process. Rarely do these companies measure information technology risk as a part of the due diligence process. These same companies that spend money on attorneys fees to identify business risk typically ignore information technology risk. Unfortunately, many of them learn the hard way post-merger when they have a system or application fail in a spectacular fashion. I’ve seen influential security managers find a way to carve out security testing as part of a due diligence process, identifying the scariest risks up front and saving downstream security resources they might have to patch a system.
I will outline other creative approaches that the best and brightest in our industry have undertaken during the webcast on Oct. 29. Feel free to drop me a line on Twitter at @johnbdickson if you have any questions prior.