For some people, November is all about festivity: turkey, cranberry sauce and the start of the long ramp-up to the December holidays.
However, that’s not always the case if you happen to be in IT security.
If you are, you know that November can be anything but festive — unless your idea of “festive” includes end-of-the-year network freezes, the inevitable holiday malware, spam out the wazoo, and (worst of all) the 2008 budget. Yup, ’tis the season — the season for guessing at what you might need in the future and (most likely) won’t get.
Every year, we’re asked to do the same thing: Request the funding that we need for the upcoming year to keep the organization “secure.” Like programming a universal remote control, it’s one of those things that sounds simple enough until you actually try to do it.
Aside from being impossible (there’s no such thing as “secure” — just “secure enough”), there’s also the fact that we’re being asked to foresee the unforeseeable. How much malware will there be next year? How many application vulnerabilities will we find in the new accounting system? How many patches will come out for the hundreds of software products we support? These are just a few of the myriad things impacting budgetary requirements which simply cannot be precisely determined ahead of time.
However, rather than give up and submit another year’s budget dripping with irony, let’s look to see if there aren’t a few strategies that we can use to help us bring some sanity to an otherwise insane process.
Planning for the Unforeseeable
When it comes to planning for your security operations budget, there are two types of information security organizations: those that have usable metrics and those that don’t. If you’re in the first category, you probably have a historical record of past events — and you probably have some idea of what each of those events costs.
For example, you might know the number of malware events that occurred over the past 12 months and (depending on how long you’ve been keeping track) you might have some idea about the relative rate of increase of those events year-over-year. The same is true of security incidents, forensic investigations, IDS (intrusion detection system) alerts, applications reviewed, etc.
Now, I don’t mean to suggest that metrics are the complete solution to your budgetary woes, but the budgeting process is the one area where you’re likely to see quite a bit of return on your metrics initiative. If you’re measuring, you can come up with a reasonable (or at least logical) estimate of future activity based on historical trends. Add in a margin of error and it’s not unreasonable to put together a ballpark figure for what those future events might cost. Heck, you can even create milestones of how much you expect to spend month-over-month and use unspent dollars to invest in making everything more efficient. Of course, times being what they are, you might not get everything you ask for, but at least you’ll know the impact of that ahead of time.
If you don’t have metrics yet but you think they might help you with your budget, the challenge is to get them in place so that you can use them. Since you probably won’t get any reliable metrics in place in time to use them in planning for this year’s budget (hats off to you if you decide to try), the goal is to get them there in time to use them next year.
Don’t assume that obtaining this information is going to be “free” though — it won’t be. So plan for the expense and account for the spending in your 2008 spending (after all, now’s the time). If your decision-making process isn’t currently based on some kind of concrete information like realistic metrics, one of your strategic goals (maybe your No. 1 strategic goal) should be improving the data coming in and making use of it.
Investing in the Program
So, maybe you have a reasonable idea about what operations spending looks like for 2008 — or if you don’t, you at least have it as a goal to get to a point where you can estimate (more) accurately. How about overall spending? After all, keeping to the “status quo” — estimating what it’ll cost next year to do the same thing as last year — shouldn’t be your final goal. Even if you’re getting more efficient over time, there are still more things that you could be doing. No, there’s another piece to the puzzle: Where should you invest in 2008 to operate in a more repeatable, organized and “mature” way? That’s where program maturity comes in.
Your information security “program,” or — depending on the terminology you choose — your ISMS (information security management system) is something to be thinking about as well when putting together your 2008 budget. Your ISMS should be your overarching framework for managing information security within your organization — it’s your opportunity to think about how you’ll move away from tactical decision-making (“putting out fires”) and move toward a model based on analyzing and treating risk, keeping track of your security processes and how they perform, both in terms of efficiency as well as effectiveness.
In other words, think about having a structured, well thought-out program as your road map to a better life.
Assuming that you want to come up with a more structured way of doing things, how can you get there? First, start by analyzing what your program does and doesn’t already account for — tools like ISO 27001 (International Organization for Standardization) help you identify what your program should have in place and areas that you should be looking into for program management.
Need to do a gap analysis to see where your program falls short? Account for that in your budget.
Already have a gap analysis that tells you where you need to improve? Account for those areas in your budget.
Granted, you might not get everything on your request list, but if you can demonstrate why this is valuable and candidly discuss with your management how you’d like to improve, you’re probably likely to get some funding for doing this. Especially if you believe (as I do) that a structured, repeatable and mature program saves money over the long term.
Ed Moyle is currently a manager withCTG’s information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner of Security Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.