Prioritizing the BudgetBy Ericka Chickowski | Posted 2008-06-02 Email Print
The security risks IT managers worry about the most aren’t the same ones they spend their company’s money on. What’s going on? Baseline set out to get some answers.
Prioritizing the Budget
One reason IT managers have a hard time getting funding for new initiatives is because they don’t focus enough on metrics.
“IT groups usually describe security qualitatively, but what they really need to do is come up with better quantitative metrics,” says Randall Gamby, security analyst for the Burton Group. “They need to look at numbers more. For example, some might ask for funding to put in a new malware solution because it will improve security. But if they quantified malware instances, they might find that they are not attacked by malware very much and that the old solution already mitigates their minimal risks.”
Gamby says chief information security officers (CISOs) and other security managers need to do a better job of finding measurables based on the business requirements. In addition, he advises security managers to do a better job of prioritizing risks by doing their homework and conducting methodical risk assessments. Without doing the background work, it is impossible to prioritize risks and, in turn, prioritize initiatives for funding.
“If you put it all together, you’ll get an overall picture of the organization, as well as a good idea of the resources you have available to spend for the upcoming year—and where and how you should divide it,” QuietMove’s Muntner explains.
ARC’s Bhatt says he typically identifies the biggest risks to his organization and then looks at the technology landscape to see how he can mitigate those risks to an acceptable level. Then he puts together a budget proposal—typically by the third quarter for the upcoming year—and has a discussion about how much money he will need for new initiatives.
*View the research that was the basis for this article.
Each risk is prioritized, from “have to buy now” to “can wait one more year.” He particularly stresses the must-haves, making a distinction between those and other initiatives.
Bhatt points out that though C-level executives make the final call on whether to assume a risk, IT and security managers need to clearly identify the items that have the highest-level risk.
“It’s important to get the CFO and other C-level people to understand that [if they don’t fund] these must-have items, they shouldn’t come to you if there’s an issue and ask why there’s a problem,” Bhatt says. “If these things are well-documented, you can remind them that you talked with them about the risk.”