Implementing a self-funding security program
Implementing a self-funding security program
In a business climate that is increasingly intolerant of any new “spend,” it can be difficult to rationalize funding new IT initiatives – even ones that have clear short- and long-term value to the company. The same business climate, however, is driving up both internal and external threats and resulting in increased regulatory pressure. What can an information security professional to do?

To navigate the challenge of improving security with a flat or reduced budget, enterprises are exploring the concept of “self-funding” IT security projects. In these projects, a vendor may collaborate with the IT manager or CISO and IT finance to determine an incremental deployment scenario. The process enables the IT manager or CISO to see exactly where and when they will achieve operational savings and how this will impact internal accounting. It enables enterprises to start improving security levels one step at a time, map savings and efficiencies to priorities, and optimize budgets.

This “self-funding” approach speaks directly to the issues the CFO cares about in a manner that will permit him or her to be helpful. As a result, the discussion could move from outright rejection to a rather more productive one.

From:

Manager: If you allocate the money, I will make improvements and, in some number of months or years, it will pay for itself.

CFO: We don't have any money. Don't let the door hit you on the way out.

To:

Manager: We have increasing threats, outstanding audit issues and increased pressure from the business to improve service quality. We can address all of this through automation, so I've considered the various financial budgets (IT Operations, Capital Appropriations, Capital Expense) and come up with an incremental approach that will not negatively impact any of them. This is possible because we will execute the project incrementally. We will make coordinated investments and achieve corresponding savings in a manner that works within each budget. From an accounting perspective, we will reallocate some expense flows but there will be no net impact to the bottom line.

CFO: Why don't you have a seat?

The solution and process
Here's a step by step process that could help get you where you must go.

First, engage the key stakeholders: CIO, CISO, IT Governance, IT Finance. In some cases, the CIO may only need to know that you can achieve your objectives and without any budgetary impact. Also, be sure you understand concepts like capitalization policies and amortization – you will almost certainly want to avoid characterizing projects as “migration,” “conversion,” or “upgrade.”

Second, understand your specific requirements. At a minimum, you may have to address some basic audit issues. For example, in the case of identity and access management:
  • Ensure that you disable all access for employees when they leave.
  • Stop using the ‘model-after' approach to determine access for new employees.
  • Ensure that all access to high risk or key financial applications are reviewed by the business owner on a periodic basis.
Third, understand all related processes and use ABC (activity-based costing) analysis to be sure that you know where you will get the most leverage from automation. In retail organizations with high turn-over, an inordinate amount of work (and risk) is associated with joiner and leaver processes. In more stable companies, change and attestations might drive more labor cost. Consider how much work could be avoided by automating each part of these processes.

Fourth, begin an iterative process that considers budget cycles, potential efficiencies and audit/control requirements:
  • Take close consideration for cash, cost of cash, capitalized expense amortizations, etc. In doing so, you will plan and re-plan your investment and deployment scenarios. Sometimes you will push for control, other times you will push for efficiency.
  • Don't be discouraged if you cannot achieve all of your controls in the first phase. Be conservative in your assumptions of risk management for operational efficiencies.
Benefits
Cost savings from self-funding programs can come in several forms. The biggest category of savings relates to the creation of operational efficiencies. Many audit processes now call for centralization of security administration, so implementing technology that pulls data from several locations into one dashboard view will help to accomplish management efficiency. Depending on the particular situation of any given organization, savings can be achieved through reduction of staff, or through re-allocation of highly valuable, and highly paid, resources, which will be freed up to work on more interesting, and often more rewarding, projects.

Efficiencies can also transcend IT to other employees. For example, a deployment that streamlines access management processes could allow new employees or contractors to begin their work on day 1 of their employment without delays. Time savings could also appear when it comes time for compliance reporting. Considering the example of an identity and access management deployment, more robust, automated compliance reporting throughout the year can save countless hours when it comes time to prove compliance with various regulatory standards. That time can be used for any number of other IT practices.

Make it work

This is work, but it really works. It will take time and energy but you can be successful if you remember the basics:
  • Partner with vendors that have the solutions and broad knowledge required. If they believe in themselves, they might even be willing to share some of the risk.
  • Remember the old adage – incremental progress is better than delayed, or unattained, perfection. You can get there.