A simple formula to get your IT security budget approved
Although there is greater awareness of cybersecurity threats than ever before, it is becoming increasingly difficult for IT departments to get their security budgets approved. Security budgets seem to shrink every year, and IT pros are constantly being asked to do more with less. Even so, the situation may not be hopeless. There are some things IT pros can do to improve the chances of getting their security budgets approved.
Present the problem convincingly
If you want to get your proposed security budget approved, you will need to present the security issues convincingly. While those in charge of the organization’s finances are probably aware of the need for good security, they’ve probably also seen enough examples of “security solution looking for a problem” to make them skeptical of security spending claims. If you want to persuade those who control the money, you will have to convince them of three things:
- You are trying to protect yourself against a real problem that poses a credible threat to the well-being of the organization.
- Your proposed solution will be effective and not just a “new toy for IT to play with”
- Your budget request is both realistic and justified.
Use data to your advantage
One of the best ways to convince managers that there is a credible cyberthreat against the organization is to provide them with quantifiable metrics. Do not resort to the collection of statistics on the Internet. Your organization’s finance staff are probably smart enough to know that most of these statistics are fabricated by security companies trying to sell a product or service. Instead, gather your own metrics from inside your organization using free downloadable tools.
Specops, for example, offers a free password checker that can generate reports demonstrating the effectiveness of your organization’s password policy and existing password security vulnerabilities. This free tool can also help you identify other vulnerabilities, such as accounts using passwords known to have been leaked or passwords that don’t meet compliance standards or industry best practices. .
|Example of Specops Password Auditor results in an Active Directory environment|
Of course, this is just one of many free security tools available for download. Either way, it’s important to use metrics within your own organization to demonstrate that the security problem you’re trying to solve is real.
Highlight what a solution would do
Once you’ve demonstrated the problem to the organization’s finance people, don’t make the mistake of letting them guess how you plan to solve the problem. Be prepared to clearly explain what tools you plan to use and how those tools will solve the problem you have demonstrated.
It’s a good idea to use visuals to demonstrate the practicality of your proposed solution. Be sure to explain how the problem is solved in non-technical language and flesh out your pitch with examples specific to your organization.
Estimated implementation time and visible results
We’ve probably all heard horror stories about IT projects going off the rails. Organizations sometimes spend millions of dollars and invest years of planning into IT projects that never materialize. That being the case, it’s important to reassure everyone by showing them exactly how long it will take to get your proposed solution up and running, and then how much longer it will take to achieve the desired result.
When making these projections, be careful to be realistic and not to make promises based on an overambitious implementation schedule. You should also be prepared to explain how you arrived at your projection. Keep upcoming projects, company-wide goals, and fiscal year ideals in mind when considering the timeline.
Demonstrate estimated savings
While security is of course a concern for most organizations, those in charge of an organization’s finances generally want to see some sort of return on investment. As such, it’s important to consider how your proposed solution could save the company money. Here are some ideas:
- Saves time for the IT department, thus reducing the number of overtime hours worked
- Avoid a regulatory penalty that could cost the organization dearly
- Lower insurance premiums because data is better protected
Of course, these are just ideas. Every situation is different, and you’ll need to think about how your security project can deliver ROI given your particular situation. It’s important to include a cost reduction element for clarity, even if this is the average cost of a data breach in your industry.
Show you’ve done your homework with a price comparison
When you present your proposed solution, stakeholders are almost certain to ask if there is a less expensive product that would achieve your goals. As such, it is important to spend time researching the solutions offered by competing vendors. Here are some things you should be prepared to demonstrate:
- The total cost of implementing each potential solution (this may include licensing, labor, support, and hardware costs)
- Why you offer a particular solution even if it is not the cheapest
- If your solution is the cheapest, be prepared to explain what you could give up by using the cheapest provider.
- What each provider offers compared to others
A few quick tips
When making your budget pitch, keep in mind that those you are pitching to likely have a limited understanding of IT concepts. Avoid using unnecessary technical jargon and be prepared to explain key concepts clearly, but without appearing condescending in the process.
It’s also a good idea to anticipate any questions you might be asked and have answers to those questions ready to go. This is especially true if there is a particular question that makes you a little uncomfortable.
Present your information clearly, confidently, and concisely (i.e., be quick!) so you can make your case without wasting time.