Security Budgets and the Risk Tolerance Question
So what’s a security professional to do when you are already operating a lean organization? You are protecting your company’s assets the best you can? And you still are being asked to perform better with fewer resources? In this article I’ll discuss a few options for helping you meet the financial pressures of the organization while not going outside of the risk tolerances set by your management team.
Set Risk Tolerance?
Yes. Your Organization’s identified security risk tolerance. Step one in the security budget process is to understand that it’s really not your budget that finance is thinking of cutting. It’s not your risk that is going to be increased if activities that mitigate those risks are reduced. Both the risk and the budget belong to the entire enterprise and it is the business mission and goals of the organization that are at risk in this conversation. So before you can defend a security budget position, it’s critical that you understand and have some executive agreement on the level of risk the company is willing to accept. In a previous blog post, I wrote about how best to communicate security risk to executives. In that article you will find some ideas for how to understand your company’s acceptable security risk profile. Once you have an understanding of which security incidents your company cares most about mitigating, and which resources they consider most critical to protect, you have the beginnings of the conversation about the required budget.
Avoid the knee-jerk reaction to “cut your budget”…
Being told to “cut your budget by 20%” can shock any functional leader. Our natural reaction is to deny the possibility, to say we cannot possibly do that, and to try to find a way to avoid the cut if possible. But if this request is made of you at work, instead of going directly to “no” or “I can’t”, start by saying “yes”.
One workable approach is to say “Sure, let me see what I can do. I’ll get back to you in a couple of weeks”. Did you just promise finance you’d cut your budget by 20%? No. But you did clearly communicate that you will look into the request and find potential ways to meet that request. The willingness to engage in the exercise, and look into what can be done, sets you up in an active and engaged partnership to find savings. You should be mindful that the money being spent is being spent for a reason – to protect company-critical resources. You cannot simply reduce those protections without thought and examination, and agreement from the business executives who set the risk tolerance in the first place.
Who “owns” the risk exposure when security is cut?
The main reason that neither you nor the finance organization is in a position to agree to a cut in the security budget is that neither of you is the owner of the risk. The security risk is owned by the business owner of the resources that are going to be exposed to loss if the protections placed on them are altered. While it’s entirely possible that they might find the additional risk acceptable, they cannot be left out of this conversation. As the security expert that they rely on to manage their security risk, it’s critical that you engage those business owners in the conversation.
Tying your budget to resource protection and risk mitigation activities
With the assumption in place that you have already been working with your business partner on understanding their critical resources and their capacity to tolerate risk, there’s an exercise that you can do with your team that will help with the security budget discussion.
First, understand all of the mitigating activities that are performed across the enterprise, what the risks are that they are mitigating, and what resources are being protected.
Next, ask the person in charge of that activity what would happen to the level of risk to the resource if they were to cut the mitigation by 10%? 20%? 50%? At a 10% cut, can they still provide the same protections? At 20%? If not, what is missing? What is the exposure? At 50%? At what level do you reach the likelihood of an impact to the level of risk mitigation that you have agreed to with the business owner?
Once you and your team have an understanding of the potential impacts of cuts, it is time to engage the business owners of the impacted resources to see whether or not they feel that the decreased level of risk mitigation that accompanies the cuts is acceptable to them. If the answer is yes (at any of the levels), that they, as the leader of the function that is exposed to the risk, are ok with the change in their risk profile, then making that cut to the budget is a business decision that you can report back to the financial team. Easy enough. If, however, they are not ok with the potential business exposure that they incur with a decrease in security risk mitigation activities, then it is as a partner team that you can go back to the budget team and explain the need to either not cut, or reduce the requested amount of the cut, and you will have the backup of the business leader who can explain the real, tangible impacts to the business due to the requested cuts.
When you take this approach, it allows you to show the finance team that you have “done your homework”, that you, and your business partners, have looked at the real impacts of cuts, and that you are not simply defending the status quo for the sake of not losing your department’s funding. This approach shows that you are being a careful steward of the funds you are given on behalf of the organization, and that it is your business partners, in fact, who are asking that the organization spend the money.
Most critically, though, in this situation, it is neither you nor the finance department who are making these business decisions about risk… it’s the impacted business leader.
The security budget decision / outcome
It’s important to note that this approach may or may not result in a budget cut. You and your business partner may find that leaders in the organization, understanding the potential impacts, still choose to ask for cuts. It may be that a different level of budget cut is made, leaving the mitigation plan reduced but still somewhat in place.
Even so, this is a more successful outcome for the security function, because the exercise has framed the discussion in business terms, and the expectations are set and have been communicated to all decision makers on the new level of risk exposure and expected potential impacts due to the lessened level of protection available. Why is this better? Ask a business leader… are they ok with risk? The answer will most likely be yes. Now ask them… are they ok with surprises? I bet you get a different answer. This approach to the security budget cut conversation ensures there are no surprises, and that with all participants fully informed, there is no need for the “blame game” in the event that the reduced budget leads to a security impact.
As Vice President of the Integrated Security Solutions Management at G4S, Rachelle Loyear leads the team responsible for our establishing the G4S Security Risk Management Model and the associated business development and operational management approaches, as well as the G4S Integrated Practices.