During the good times, getting the security budget approved was relatively easy. But under much tougher economic conditions, the security budget comes under more scrutiny than ever because it’s hard to attach any specific return to the investment.
The folks at SunGard, an IT services firm, have come up with these five tips that IT organizations should use to remind the business side why it needs to invest in security.
Click through for 5 security budget tips from SunGard.
CFOs are primarily concerned about risk and profitability. Information security professionals need to appeal to just a few drivers such as compliance, risk of legal fees or brand damage after a breach, and customer demand. Relating IT security to these factors will help the CFO understand the business value of any security funding request.
Compliance is the easiest issue, because it's a must-do. The challenge here is convincing the CFO that everything you ask for is required. Getting information about what competitors are doing helps and citing the downside of non-compliance is important. The big regulations are GLBA, HIPAA, PCI, SOX, FFIEC.
A risk management – or more appropriately, risk avoidance – discussion should include legal and brand damage stories that may hit the news as the result of a security breach. When building your case, check out your competitors to see if they have had security issue stories. Also, there's always the latest poster company story that can be included, but even older security breach stories like ChoicePoint, T.J. Maxx or Heartland Payment Systems can help support your funding request.
Questions from customers about how your company manages security may be known to the sales force, but not the CFO. Ask the sales group if customers are inquiring about your company's IT security. If they are request this information, also get data on what those customers spend with your organization.
Look to support any program or funding request with independent validation.
