IT budget

Is your security budget constantly challenged? Let’s change that. 

By: Joe Rivest
The problem with IT security is getting people to understand IT security. It’s not that people don’t care about safeguarding data and systems; they’re simply uneducated on exactly how your projects will impact security, and the organization’s welfare. And if there’s not enough money or support from upper management for what you need, it’s difficult to keep the organization’s networks, systems, and employees secure.

How do you get executives to pay attention to your pleas for increased budget? How do you get organizational buy-in on security?
Here are 10 tips to help you prepare for your next budget meeting with your boss.

1. Obsess over your security idea

IT budget
Don’t just pitch your boss on the latest security tool or a 10% budget increase. Pitch him on a vision.

You aren’t looking for a short yes or no answer, but rather a long-term commitment to your department’s security vision. Meetings with your boss should be opportunities to revisit the entire security strategy and tailor it to latest company goals, worldwide economic direction, and national security trends.

Think about the big picture for the security of your company. Is it to keep the environment secure so growth can happen? Or is it to avoid a potentially career-ending PR nightmare if a breach occurs? Why is the new tool/budget necessary to accomplish that big picture? Promote the need for change and explain why. Think of the short- and long-term goals this new tool or IT budget increase will achieve.

Remember, vision-centric discussion will inspire strategic decision-making.

2. Know your audience and build a business case around their interests

IT people often have a difficult time relating exactly what is needed, and how it impacts the business. As a result, executives often reject budget proposals because they don’t see the value.

Instead of thinking how a potential problem will affect your department, turn the tables. Find out how those problems would impact the company’s revenues, reputation, operations, customer relationships, etc. In short, how would they affect the company’s executives?

First, ponder on your executive’s unique needs. What does she care about? What makes her tick? What keeps her awake at night? (Hint: think of the company’s goals, especially the ones that aren’t being met).

Here are some examples to get you thinking:
  • Growing overall profits
  • Growing a specific product’s profits
  • Increasing brand awareness
  • Changing customer perception
  • Reducing risk
  • Getting media coverage
  • Pleasing stakeholders
Pick the most pertinent one (based on the executive you’re meeting with), and tailor your pitch to that topic. Ask yourself: How will this new security strategy/budget/new technology meet that particular goal? Or maybe, how would hitting that goal be affected if your proposal weren’t approved?

See Also: 7 IT Security Internal Communications Best Practices

3. Speak to company objectives

This tip is similar to the one above, but goes beyond a single tailored objective. Conduct some hardcore research on your organization’s goals for the coming year. Look at other departments’ objectives as well.

If you explain how your desired budget will help sales, marketing, business development, operations, customer service, etc. with their unique yearly objective, you’ll probably get better feedback from senior management.

For example, if the sales department wants 1,000 new leads in February, explain how your new budget will help them with that objective.

4. Use other organizations as examples

For some reason, most in upper level management believe their company is invulnerable to security breaches. While you don’t want to dissuade their trust in your department, highlighting the fact that other organizations just like yours have been hacked should help them face the reality of the situation.

I don’t endorse the use of scare tactics. However, pointing out recent vulnerabilities that have led to today’s headline breaches is a decent strategy to back up your arguments. Use concrete examples of other organizations similar to yours (especially competitors) to illustrate the exact reason behind your desire to increase security.

5. Let data tell the story

I’ve heard a picture is worth 1,000 words, but I think data has an even better track record when discussing budget increases with the head honcho.

Showing statistics relevant to your case helps people see exactly what you’re doing and if investing in the idea is worth it. For example, if you’re trying to upgrade your vulnerability scans, show them the latest statistics from the National Vulnerability Database and recent SSL attack trends. Mention statistics that back up exactly how long businesses remain vulnerable to attack.

Don’t forget to use case studies from your own systems and tools to illustrate how your organization’s security posture is doing. For example, show a report of the number of attack attempts on your website from this month, and how it has increased over the past year. Show them the vast list of malware your anti-virus system contained in the past week.

Better yet, work with marketing to conduct a customer poll on security and use the information as persuasive data in the next meeting with your boss.

6. Don’t let your emotions control the situation

It’s likely you’ve put a lot of time and effort into researching this idea or budget increase. If the idea is not well received, it’s easy to get angry, defensive, or argumentative.

Arguing brings resistance from the audience and ultimately prevents you from changing perceptions. You want positive emotion to surround your idea, not negative. Ultimately, your unchecked emotions can diminish your influence and weaken your message. The concluding feelings of this meeting might even bleed into future IT budget discussions.

7. Prepare to measure success

Before you ever discuss your security vision, or get approval for a new budget, show exactly how you’d measure its success (or failure). Your commitment to this new budget or tool will be obvious, and they’ll see how serious you are about its importance.

When you eventually receive your data from new technologies, or have made progress with a new security process, ensure you set up a review meeting to discuss its impact on the organization.

8. Let them choose (good, better, best)

security buy-inIf you raise an issue with the executives (e.g., we need a new firewall), but don’t offer a solution, they’ll put it on the back burner, or may come up with a solution you don’t like. Explain the situation, offer specific solutions, and let them choose which option they think is best for the company.

There’s a little bit of psychology behind this recommendation, and it works for budget increases as well as investments in new products.

First, conduct a bit of research on three options, and then present them to management.

Option #1: A product that’s obviously too expensive, and too complex for your needs.

Option #2: Your ideal product.

Option #3: A product that’s less expensive than the middle option but would still work for your situation.

This is an age-old persuasion technique, and it will let the executives feel they have the power to decide. The secret is: whatever decision they make, you still win. You make the decision as easy as possible for them, and you’re still happy with the outcome. Win-win.

9. Get buy-in from other departments

If you have siblings, you might remember ganging up on a parent to get what you wanted as a child. Similarly, you need advocates in your organization to plead your case to upper management. Often, it takes multiple departments to be on board for true change to occur.

It would be beneficial to first schedule a meeting with other departments to discuss how the new IT project/budget could help them if approved. Then, blatantly ask them if they will back you if negotiations with your boss don’t go as planned.

Be advised, if other departments support you, prepare to scratch their backs in the future.

10. Prepare for questions

The last thing you want to do is deliver your pitch and be befuddled by the first question you’re asked. If you don’t know every in and out of your vision, you shouldn’t be pitching it.

Prepare and anticipate the questions an executive might ask, including goal and revenue queries:
  • “Will you need this budget again next year?”
  • “When will we see the benefit from this technology?”
  • “How will stakeholders perceive this new tool?”
Learn how hackers hack businesses or learn how to make your PCI DSS auditor happy.

What if you don’t get what you want?

If your idea is rejected, don’t despair. Here’s what you can do in the meantime.
  • Be patient. Patience is a virtue. An executive’s budget decision might rest on landing a new client, or maybe they need to sleep on it. Perhaps they’ll reconsider after the next large data breach graces the news.
  • Plan another pitch . . . with friends. Commit departmental advocates to back you in another meeting. Explain the same pitch in a different way, and ask your advocates to put in their two cents (since you already know they’re on your side).
  • Start a metrics dashboard. Prepare pertinent data for the next meeting.
  • Find someone they will listen to. Perhaps your boss trusts the CFO. Get the CFO to put a bug in his ear. Often, upper management relies heavily on outside security consulting services for strategic decision making. Get a security consultant to convince your boss for you. (Need security consulting services?)
Do you have other successful budget-approving ideas for convincing upper management of security’s importance? Let us know below!

Joe Rivest is the Senior Director of Enterprise Sales and Market Development, and has been with SecurityMetrics for 3 years. He has worked in the IT industry for 21 years.  Joe added knowledge of disaster recovery and back-up services with a role at Seagate E-Vault before joining SecurityMetrics in 2012. Joe holds a Bachelor of Science and a Masters in Business Administration from Brigham Young University.

learn about PCI from the SecurityMetrics PCI learning center