Some people say that there’s nothing worse than a sour economy. I, for one, don’t agree. What could possibly be worse, you ask? Simple: a bad economy in the middle of a budget cycle.
Securing funding for technology projects is hard enough nowadays, but IT security projects have it even harder. Try selling your management on an application security overhaul the day after the Dow closes down 500 points — you’ll get better traction wearing grease-bottomed shoes.
It’s a reality of human nature that during a downturn, belts tighten. For organizations that are directly impacted by the financial downturn (banking and brokerage, for example), it’s no wonder that technology funding is scarce. But even for firms not directly in the line of fire, there’s a more subtle impact that also leads to smaller budgets: That is, people react to publicized events — even if that reaction is subconscious. When an airplane crash is in the news, ticket bookings go down. When a product is recalled, sales plummet. And when the economy is in the news, people buy less — and organizations scale back investment. It’s human nature.
To us in tech, this means that a bad economy brings a smaller budget. First and foremost, we’re a cost center — sure, keeping systems running is essential, but building new ones? When the business is having trouble just getting the essentials done, investing in a new storage solution, an e-mail upgrade, or a provisioning system is not top of their list. Sure, some projects will move forward — but they’d better be cheap or they’d better be critical before anybody writes a check. For security, it’s even harder because we have the added issue that demonstrating direct return on investment is difficult.
The upshot is that in a climate like this one, it’s almost a guarantee that the budget we ask for is not the one we’ll wind up with. But that doesn’t mean that we have to give up everything on our agenda. In fact, there are a number of areas where we can make significant inroads — even with a shrinking budget. It’s all in how creative we are to get there.
I firmly believe that metrics are the cornerstone of a strong information security program. How can you possibly know if you’re doing better or worse if you have no way to measure improvements over time? It’s like trying not to speed without looking at the speedometer: It’s possible, but way harder than it could be.
In addition, having security metrics ties directly to the problem of ROI (return on investment). More transparent ROI, more budget in the future. In other words, if you can quantify improvement and/or cost savings for an investment, that’s a much less risky investment than an opaque one where it’s impossible to know if it’s paying off or not. So not only do metrics mean you can use your current resources more efficiently, but they also very likely translate to more resources in the future.
Unfortunately though, putting a line item for “metrics” in your 2009 budget is pretty much a guarantee it’ll get redlined. It’s not a matter of how you sell it — instead, it’s about perception. When it comes to metrics, many large organizations have “been there, done that” syndrome — many of them have spent numerous dollars and hours chasing their tails over expensive, cumbersome initiatives that demonstrated marginal results. Smaller shops may have a perception that security metrics are just for the big guys — an expensive luxury that doesn’t make sense given their size. Pitching metrics in either of these contexts just isn’t realistic (but serious hats off to you if you can do it).
My advice is not to set yourself up for failure. If you know that a “tough sell” request (like metrics) will likely get spurned, why not try a grassroots approach that doesn’t rely on securing line-item funding? I can tell you how to do it in three “free” (or, more accurately, “hidden cost”) steps:
- Task your “rock star” resource (you know, the one that’s really good at making things happen) with evangelizing metrics.
- Communicate your commitment to your entire staff.
- Keep harping on it until you see progress.
Having a motivated, “self-starting” resource on the evangelism train will help to keep everyone motivated. Communicating the message broadly opens up the possibility for innovation on the part of individual resources. Constant reinforcement of the message keeps it in the forefront.
Do this, and in a month or two you’re almost guaranteed to see something happen. Maybe your staff will get really creative and start consolidating things you already track into a “dashboard view.” Maybe they won’t be so creative and they’ll just slap a “high/medium/low” on status items they already provide. It doesn’t really matter what your staff does, so long as it’s progress and you reward it.
Now, there’s no question you won’t get all the way to where you want to be out of the gate. But, hey — we’re doing more with less here. If you stay committed, your staff will continue to refine it at the grass roots — and what they provide will snowball over time once they see the value back to them.
Don’t Plan to Cut Waste – Cut Waste by Planning.
Second, plan ahead. Now, I’m not talking about high-level management planning here — I’m talking about planning at the grass roots. Everybody in the security organization, no matter how high or low on the totem pole, ought to have some plan for how they’re going to do their job cheaper/faster/better. In fact, if everyone’s not planning, you’re wasting money. Here’s why.
The culture of IT in most firms actually makes it very difficult for staff to plan and optimize. They have so much on their plate — so much to do — that pretty much their only option is to react. Being in reactive mode all the time limits planning — and lack of planning decreases efficiency and reduces quality. At the end of the day, your employees can tell you exactly where there are inefficiencies in your organization — and they might even be able to fix them — but they’ve got too much going on already to make that happen.
This is an unfortunate state to be in. Who’s best equipped to tell you how you can save money? The same people that are too busy to tell you. It’s a catch-22 unless you can come up with a creative way to untie the knot. On the plus side, though, once you start finding out where the inefficiencies are and weeding them out, you start to reclaim time that can be further invested into finding new inefficiencies. Again, at the end of the day, this isn’t hard to do so long as you keep on it and stay focused.
One strategy: Ask your employees what they’re biggest pain points are and get them to keep a “quick and dirty” record of where their time goes (keep it low-overhead — the goal here isn’t to create more work). Now, most organizations have a time-tracking system in place already, and the temptation is to use that to get this data. However, in practice, I don’t recommend that you use that same system for this purpose. First, you want it to be as accurate as possible, and many firms have nuanced requirements about what can and can’t get reported in the time system — you want to avoid that because it skews the results. Second, you also want it to be as “low pressure” for staff as possible — knowing that other people outside IT can view it (like accounting) can discourage accurate reporting.
Once this data starts coming in — your staff’s verbal assessment of where their time goes and the rough “log” — you’ll pretty soon realize where the inefficiencies are. Once you do, task the folks that are currently doing the work in the inefficient areas to brainstorm how to streamline it. You can even strategically allocate some of their time to that purpose if you can spare it.
Now, this sounds really simple — and it is. But the trick is to enlist the grass roots to help you make it happen. Not everyone likes efficiency initiatives that are driven from the top-down, but enlist their help and they’ll make time to help push it — after all, at the end of the day, it makes their jobs easier and more enjoyable.
Ed Moyle is currently a manager withCTG’s information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner ofSecurity Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.