As part of the budget planning exercise, security leaders have to prioritize their projects and initiatives for the next year. Savvy security leaders know to look for security resources in other areas of the organization, Denim Group principal John Dickson said in a recent RSAC webcast.
"This is not about vendors selling security solutions to CISOs or CSOs," Dickson said. "This is about internal security leaders themselves going to executives such as CFOs and obtaining resources to further expand the security footprint," Dickson said at the start of his presentation.
In the webcast, Dickson discussed different "guerilla tactics" security leaders can use, such as using resources belonging to other groups to further your goals and piggy-backing onto other initiatives.
In this day and age, "Fear, Uncertainty, and Doubt" no longer work as a budgetary tactic. Security professionals have to do a better job of translating the issues and threats into business risks. Tactics include exploiting pet projects, consciously cultivating relationships with other executives, and taking advantage of systems owned by other groups, to name just a few. Some of the examples were previously included in his research presented last February at the 2014 RSA Conference.
- If you are able to tack on your security "ask" to a capital expense project the CEO is undertaking, it is a lot easier to get it approved.
- A company within the energy sector tends to be very safety-driven, couch the security concern as a safety or quality question as that would resonate better with the business.
- Find out what your competitors and peer-organizations are doing, and use that as an example of what your organization should be doing.
"The best CISOs and CSOs have figured out how to sell and put these 'asks' in terms that resonate with executives," Dickson said.
For example, security leaders can "inject" themselves into a merger and acquisition discussion and demand a portion of the funds set aside for due diligence to perform a security assessment on the target's IT operations. Since the security liabilities become the organization's after the merger, it makes sense to know about any hidden issues.
Another example has security leaders looking at what kind of things other departments are buying. In many organizations, the Web Application Firewall is part of the IT or audit budget because it is mandated by PCI rules. Security leaders can ask to be able to use the existing WAF investment for Layer 7 logging and protection to gain visibility into the application layer, Dickson recommended. Or they can ask developers to add on vulnerability scanners and other secure coding technologies as part of their larger development stack purchases. That way, the developers will be able to catch and fix vulnerabilities early in the cycle, before they are flagged by the security teams.
Consider that some parts of the budget are out of your control. There are some budget items that are not open to negotiation, such as line items mandated by compliance or customers/buyers. Legacy tools or systems may continue to get funded because no one wants to be the first to say they should be replaced. So it's important to be creative in how you get funding and resources for the projects you want to roll out. "The power of purchasing around those big buys are something you should leverage," Dickson said.
Listen to the webcast for more insights and to get a copy of the presentation.