"You have to start by assuming that you won't get all the money you ask for, decide what you really need, and present a budget 10 percent higher than that, if you approach things with the economic realities in mind, it's a lot easier to get what you really need," said John Stewart, CSO at Cisco Systems. "It's also important to cut out anything you might not need or can't get to; you don't want to ask for more money for things that you can't do and risk losing money in future years."
Stewart said that security teams can also use any time freed up by projects that are put on hold to forward lower-cost efforts, such as employee education programs, that will also help lower overhead expenses.
"So many security problems are not related to spending money, but are more around people and process change," Stewart said. "If you can convince more people not to plug infected devices into your network, if you eliminate some of the initial behaviors that end up costing you time and money fixing the problems they create, that's another great way to reduce costs."
At the Source Boston 2008 conference last week, other IT security leaders offered similar advice in relation to using detailed planning and tying projects to larger business initiatives to prevent dollars from being taken out of the budget.
"You really have to manage your innovation pipeline like an investment, and if you start talking about things in this way to people who provide the money, they start seeing business drivers, how your projects can make them more nimble and profitable, and you can use that as ammo to make more investments," said Chris Hoff, chief architect of security innovation at Unisys.
"Ultimately, the more I can provide transparency about how I spend money, I can get more money and headcount," he said. "This tends to work best when I can demonstrate how I'm spending money for the right reasons, and really making a difference and not just buying toys."