July 23, 2008 - #62

Mike's Pep Talk:

"I found there was only one way to look thin, hang out with fat people." - Rodney Dangerfield

No, I'm not coming clean about being a little too festive on my vacation. Although I was. Today's pep talk is about the inevitability of your boss (or maybe even your bosses boss) coming to you and asking about cutting your budget. That's right, you'll probably be faced with tightening your belt over the next few quarters.

Which is OK because that chocolate cake (and 3/4 of a pizza) are over-rated anyway...

After the first few announcements from public security companies, and some of the other information sources I track - it seems that the security budget is still reasonably safe. At least relative to other things (perhaps like virtualization?). But to make the assumption that because our budget seems safe today, that it will be safe tomorrow is pretty much dumb.

You didn't become a Pragmatic CSO by being dumb. You have spent a lot of time building relationships and that means the senior folks may come and ask for a favor. Cut out some of the "nice to have" expenses built into the budget, and take a few for the team.

Can you do it? Where would you cut? What doesn't absolutely, positively need to get done yesterday? Of course, you already know the answer. Just go back to Step 1 and remind yourself what is important. Make sure those resources are protected, and let everything else slip a bit.

Of course it's sub-optimal, but it's reality. I personally (and no I'm not an economist and I've proven to be pretty crappy at predicting much of anything) believe that the second half of the year is going to be pretty bumpy and that security budgets will be cut as well. So get out ahead of it and start revisiting your 2H spending plans and see what can be moved to 2009.

A bunch of folks are increasingly talking about this reality. eWeek has some suggestions to defend your budget. Things like metrics (no, I'm not going to get started on that) and comparing your baseline to others (via things like CIS benchmarks), but in reality the answer isn't to fight for every last penny. It's to be a member of the team and cut like everyone else.

Some of the best advice I've seen on the topic comes from Stuart King, who reminds us that we can "negotiate" better with vendors (they need to hit their numbers too) and also that we need to really assess what is GOOD ENOUGH security.

We have the opportunity to win big points with the senior team by helping out when budgets get tight. You can squander it and alienate yourself from the rest of your management team. Or you can do the right thing for your business. The choice is yours.

CAVEAT: OK, to talk out of the other side of my mouth for a second, make sure that you really can cut before you willingly cut. If your security program is in shambles and it's just a matter of time before you have a huge breach, then obviously make it very clear that cuts in security spending put the organization at risk and in jeopardy. But make sure that is the case, not you just trying to save your cushy little security empire.

Photo credit: toffer