Security may be a hot-button issue for business executives, but in an environment of ongoing economic uncertainty, support for security initiatives isn't always easy to come by.
Whatever's standing in the way -- be it politics or personal agendas, inflexible budgets or outright adversaries -- security professionals need to work hard to loosen the purse strings and get funding for the programs they believe in.
"There's no carte blanche for security," says Roland Cloutier, CSO at ADP, a $10 billion business solutions outsourcer.
"It's an ongoing chore to prioritize our spend, align with business priorities and promote our requirements so we can get that extra dollar to protect the company," he says.
[Get 68 great ideas for running a security department (PDF -- registration required)]
Dave Cullinane, CISO at online auction giant eBay, agrees. "Where we're spending, what is the risk and what is the appropriate expenditure -- all these things put together are making it more challenging to get things approved," he says.
We asked several CSOs (many of them former CSO Compass Award honorees for achievement-filled careers) to tell us their best getting-it-done tips, and we distilled them into nine tactics for getting your security initiatives moving despite numerous obstacles.
1. Do the math
With funding tighter than ever, it's crucial to present hard numbers on why your project or initiative is important. "If it's just marginally improving the level of security, that's probably not enough," says Richard Gunthner, CSO at Mastercard Worldwide. "There needs to be a return on investment that makes sense."
With so many potential exposures -- malware, system threats, new regulations -- Cullinane says a big part of his job is calculating a risk picture and quantifying it to show the residual risk and the ROI of your intended fix. "If I can demonstrate that a $6 million investment will result in a $300 million risk reduction, the CFO gets that," Cullinane says. "But you have to prove the initiative will result in that reduction, and quantification is the hard part."
Then, follow up with the results. "It's showing [them], here's where we started, and here's where we came to in a short period of time," Cullinane says. Once you build credibility, the money will come more easily. "I'm giving [the CFO] back $5 for every dollar he gives me, so he's willing to give me more -- one of the nice things about security is you can demonstrate that," Cullinane says.
[See CSOonline's exclusive roundup of Security metrics: Critical issues]
One example is a recent investment Cullinane's organization made in advanced malware-detection tools. When Cullinane asked his investigative team to conduct a pilot test to detect any major issues with employee laptops used to work from home, "we found we had a much more significant malware problem than we thought we had, especially targeting people in HR and finance," he says.