Best Practices: Security Budgeting for 2005
IT must cope with under-funded regulations, more CIO leeway
As companies finalize their budgets for next year, security managers want to know if there’s more money for security, if they’re going to get it, and where else the IT budget is going.
Good news: many companies are refreshing their systems and technology infrastructure for the first time since Y2K, and giving CIOs and CSOs more leeway when it comes to addressing their new infrastructure’s security. At the same time, experts say, many companies are also prematurely decreasing funding for compliance projects.
To discuss budgeting trends for 2005 and more, Security Strategies spoke with John Pironti, an enterprise solutions architect and security consultant at Unisys.
Are organizations dealing with 2005 budgets yet?
Everyone’s in budget cycling now … [come] September, you know you have a month of hell with budgeting.
What trends are you seeing with budgeting for next year?
One of the things we’re finding very interesting around IT, information security, and audit, is that at least in the U.S. going into next year, there was a lot of money put into regulatory compliance, namely Sarbanes-Oxley.
There’s a big question now: will that money stay or go? … Will all the CIOs and CSOs looking to retain that budget money be able to do so? That’s a question because regulation is not really a one-time effort. Although—in a lot of cases we’ve seen in the last 18 to 24 months—it does take an initial kick of capital to get working.
Regulations were always meant to [become] a business-as-usual process … [Yet] from the CFO side of the house, you’re hearing, “We shouldn’t need that much money anymore.” And CIOs and CSOs are saying, "No we still need that money to [make the regulation become] a business-as-usual process."
Why is there a disconnect?
Well, this was the second coming of the Y2K money, we like to say. Back in 1998, everyone was getting funds to get Y2K-compliant. In 2002, we started seeing the same thing for regulations, and Sarbanes-Oxley … Now, after Y2K we saw a big drop off in IT spending, because there was this thing people no longer needed to fund, and [CFOs think that applies to regulations now too].
The question I’m hearing from a lot of people is, "How do we convince the business that this is an ongoing process?" Though if you’re in the financial world, you’re still dealing with the Gramm-Leach-Bliley Act stuff.
We’re seeing some success with people moving to programmatic [and business process change] activities, where they aren’t in place yet … But other budgets are being cut back … because they’re being treated as an event, as a one-time occurrence.
Why don’t CFOs get it?
People are underestimating the costs associated with it. To do a transformation of a business-as-usual process, which is what the goal of the regulations are … requires a cultural change, and that’s typically a 24-month process … After implementing it, it requires moving it out to the user base and … making it part of everyday activity.
That is the challenge that we have in trying to help CFOs and other people [understand]. IT is typically driven by event activities … the big three [events] in recent history being connecting to the Internet, the e-commerce revolution (customer self service, etc.), and Y2K. So [CFOs] looked at the regulatory requirements and getting that in place, and a lot of times the budget aspects were looked at as a lot of things have to be done [once].
The big [budgetary] assumption is you can reduce the cost going into the second or third year, because they’re looking at it as technology only, not people and processes … But it really is more about behavioral activity, and processes and procedure, than it is about technology.
Do security chiefs have difficulty articulating their compliance-related budget needs?
I see a lot of CIOs and CSOs stumbling with how they present this. Traditionally they present it as, "I need this for next year—this tool or technology." They don’t understand the soft, human costs.
But isn’t it difficult to forecast what ongoing regulatory compliance will cost?
That’s the big question. The CIOs and CSOs and audit guys will look at me and say, "How do we continue it, and how do we keep it going?" The CFOs say, "We have to be in compliance by November 15—for Sarbanes-Oxley—and after that date, why do you need more stuff?"
That’s the Sarbanes-Oxley deadline?
November 15 is the safe one. The official date is November 11, but nobody thinks anybody is going to show up November 12 and put them in jail.
So are all regulations being treated equally?
For some regulations, there’s definitely more funding being put into place, particularly with financial institutions [and] Gramm-Leach-Bliley … because [it’s] really challenging organizations more than ever before, specifically around protecting customer information … So because they’re going to be tested on it year by year, and examiners are all looking at it, this is definitely something that has to be made a business-as-usual process as quickly as possible.
Is Sarbanes-Oxley not as top of mind for other organizations?
The interesting thing about Sarbanes-Oxley and even Gramm-Leach-Bliley is we’re still waiting for the case law around it … Somebody’s got to get indicted, and somebody’s got to go up against a judge, who has to interpret … what is or isn’t [required] …
The health care guys—the HIPAA guys—fight against this constantly. They go back and fight and say, "I can’t enable this because it’s going to cost too much, it would cost my whole IT budget." … There are actually guys I know out there who are doing strategy for clients, [giving a lawyer’s perspective] as to which regulations they need to comply with immediately, and which they should implement next year, or in two or three years.
Is implementing a whole regulation all at once just unrealistic?
Yes, it’s easier to put on paper a regulation that says thou must do this, but it’s more difficult to actually say, "How do I do that?" because there are no universal implementations.
For 2005, will security spending increase?
There is definitely some money moving back into the IT groups. We’re seeing people starting to release some funds back into groups that were withheld before. We saw that last year in Q1 and Q2, then it pulled back. The plan next year is to be more even-keeled.
We’re at a refresh point for a lot of people with a lot of technical infrastructure. A lot of people haven’t refreshed their systems and their infrastructure since Y2K, so … their equipment appreciation is getting to the point where it’s time to refresh … [Hence] I am seeing more breathing room being given to CIOs and CSOs.
For next year’s budgets, where else is funding going?
For how we get this to a business-driven solution, as opposed to a technology-driven solution. So speaking of security, how do we make information security a business-driven entity in the organization versus a technologically driven one. And how do we make a proactive versus a reactive approach to information security, because a lot of people are getting killed with patches and remediations and such. And they’re saying, "I can’t afford to budget for all these events every year. I budgeted for all these things, and all of a sudden I get one event and it blows out my whole budget."
How are CIOs pitching this get-ahead approach?
It’s being submitted somewhat as a regulatory thing, because that’s where money is going, but it’s also being submitted from a cost perspective … We’re just waiting for the attacker to attack us and trying to patch the holes, rather than doing a proactive analysis and [getting ahead].
So it’s almost like a business-continuity and disaster-recovery type [of] scenario. You’re building the plans before they happen. The same thing can be applied to information security and business impact … You can start building what I call cookbooks for response, so you’re not always just reacting … Heroic efforts tend to cost a lot of money … and they tend to kill your resources.
I’m seeing a lot of the smarter (and especially larger) organizations approaching information security in a programmatic fashion, and they’re using the regulatory for some of that. The financial guys, under Gramm-Leach-Bliley, they have a programmatic responsibility—as stated under the regulation—so they’re using that as a catalyst when they go to talk about their budgets … They’re saying, "We want to be a truly viable business entity inside the organization, that enhances the brand … "
How can CIOs and CSOs make a cost argument for getting proactive instead of reactive?
One of the my largest finance customers [was] spending, on average, $5 million per security incident—viruses or worms—for recovery. When we helped them install a threat and vulnerability management solution, the last incident didn’t turn into an incident for them—though it did for their peers—and it cost [this company] less than $1 million to remediate.
So there’s definitely a dollar-cost analysis associated with threat and vulnerability management solutions, which goes well beyond patch and vulnerability management stuff. That proactive view really means viewing threat activities and building a true risk analysis program … and building business processes …. and a prioritization structure … Business leaders understand risk-mitigation concepts very well.
Security Event Management: It Pays to be Proactive
Security Spending Will Top All IT Investments