Let's begin with a brief overview of why we even care about network security. If our networks and data didn't need to be secured, we could just leave the gates open and allow anyone in. The reality is obviously far from that. Data needs to be secured because it provides your company with a competitive edge or because it's confidential personal information such as credit card data or social security numbers. There are thousands of reasons why networks and data need to be secured and the unfortunate truth is that there is always someone out there looking for a new way in. That said, it's also true that the majority of security breaches are internal. Whether permissions are incorrectly set allowing a user to access an important file or whether a sophisticated user manages to get a hold of his boss's password in order to look at pay rates or performance reviews; malicious or inadvertent security breaches are most often an inside job.
According to the FBI, nearly 80 percent of security violations are caused by authorized users with legitimate access (i.e., "insiders"). Security threats include disgruntled employees, unsuspecting users, and outside contractors with insider access. U.S. companies spend over $6 billion annually on computer security hardware and software, but the best firewalls and security tools cannot prevent internal security breaches caused by internal issues (e.g., poor end-user security practices, inadvertent mistakes, lax attitudes, employee exploitation of security holes and intentional attacks or hacks).
How much is security worth? Network administrators are constantly under pressure to reduce costs and expand services. A recent study shows that as a percentage of revenues, IT budgets have gone down over the past few years. So, while the actual dollar amount of the corporate budget has risen, the percentage allocated to IT from corporate revenues has dropped (i.e., your company is growing but is not giving you the financial resources you need to do your job). For the sake of argument, let's assume that you have trimmed all the fat from your budget.You are running lean and mean and have no more "give" in your budget. What do you do when push comes to shove? Whatever your answer, it probably directly or indirectly impacts network security (e.g., not having enough IT staff to maintain systems; fewer upgrades to secure operating systems; fewer purchases or upgrades of intrusion detection systems; less time to plan and implement a comprehensive security solution).
So, rather than fall victim to decreasing IT budgets, let's discuss a proactive stance. As discussed in How to Cheat at IT Project Management , one of the keys to success in the IT world is understanding the company's business plan. No one is going to hand you a blank check; you have to be savvy. To that end, we look at some quantifiable and verifiable numbers that can be used to develop a strategy for getting your IT security budget approved.
The February 2006 issue of "CIO Insight Magazine" discusses a research study on IT spending. The conclusions? Many IT professionals agree that their companies do not spend enough on IT (i.e., IT departments are handling an ever-increasing number of projects while IT spending is moving away from hardware and software to staffing and services). The study also surveyed how IT budgets are spent. Interestingly, security software was eighth on the list of technology spending. Disaster recovery and business continuity was first on the list of initiatives. According to Ken Goldstein, an economist with the Conference Board (a business research organization), part of the reason companies are reluctant to spend more on IT is that businesses "haven't gotten full utilization out of what they've already spent, and they need to. They will not necessarily cut back their spending, but what we will get is this cautious, conservative spending." (CIO Insight, February 2006, p. 69.) Making the effort to align IT projects with corporate strategies and to develop and present a business case for key IT projects, continues to be one of the best ways to ensure that your IT department has the tools and resources it needs. Security spending should be a discrete line item in your IT budget. You should prepare the business case for security separately (though in an integrated manner), otherwise it may get lost in the larger IT budget.
Was this article helpful?
What you need to know about… Project Management Made Easy! Project management consists of more than just a large building project and can encompass small projects as well. No matter what the size of your project, you need to have some sort of project management. How you manage your project has everything to do with its outcome.