Budgets Are a Root Cause

As IT Security professionals, we are in an escalating arms race. We are already at a disadvantage that has been well described enough by others that I won’t rehash it here except to add that an often overlooked root cause is the corporate annual budget process.

If all parties agree that the function of an IT Security group is the strengthen the security posture of the environment, then there are a couple of assumptions. First, that the Security team has all the tools at it’s disposal to be able to assess the security posture. This means that they are aware of all known vulnerabilities (we all must accept that unknown vulnerabilities exists) and have either remediated them or dealt with the risk they create in a way acceptable to the leadership. Second, that the Security group has the ability to detect compromises and not only remediate them, but report with confidence when an incident is concluded.

All of that requires a lot of investment. There are many ways to do it, but that isn’t the point of my post. All of this not only requires a large investment, but that it requires support from IT. There is no way a Security group can do any of this without IT support. Let’s assume further, that the IT support exists and the Security group can do everything I’ve described and do it well. Upper management and likely the board feel very good about investing a significant amount of resource on Security. On the surface, this makes sense. Unfortunately, it isn’t that simple.

What we have in this scenario is a well run and well funded Security organization that is even capable of conducting root cause analysis and determining that occasionally, they are being compromised through a new vector. The Security group raises the gap and what do you know, one of the vendors that you already work with has a solution for that. The best case is that you found the gap in November (assuming your fiscal year aligns with the calendar year for simplicity sake) and IT calls you in December because they have capital that needs to be spent be the end of the year. Second best case, you discovered the gap at the right time in the budget cycle to be able to get a bid and put the request in your next year’s budget. By the time the new tech is in place, a year has gone by. Most likely, you find it in January and wait almost eighteen months before you’ve addressed the gap. Whether it’s six or eighteen months, from a corporate perspective, it’s cause for celebration. From a Security perspective, it’s a disaster.

The scenario I described sounds pretty good. There are many companies that would love to be in this position, so if you already are, you have reason to feel good about the accomplishment.

But we are still losing at the company and the national level.

Part of the reason is due to the fact that we are trapped by an annual budget cycle that compares everyone’s needs and attempts to prioritize them company wide. Each department has a list of ten or more things and if they are lucky, each department will get their top three. Some companies have more sophisticated methods of determining risk to the company and may steer more money to IT Security, but they are still trapped in an annual budget cycle. What we need is a new process that is not bound by an annual cycle but instead be bound only by the ability of the Security group to demonstrate the need. If corporations were able to make this the new standard, it would be a huge step forward in addressing the increased speed of threat that is not likewise bound to an annual cycle. Even then, it would only solve part of the problem.

The larger problem that underlines and undermines all security activity, is the treatment of the IT budget. As far as expenses go, the IT budget is a huge part of most companies overhead. Sometime in the late 90’s and early 00’s, companies realized if they couldn’t make their numbers, they could pull the IT lever and reduce overhead. It was also at this time that outsourcing and then offshoring really took off. Some of these changes could have been done without introducing vulnerability into the environment, but since back then it was less of a concern, it rarely was. Even today, there is no recognition by Boards, CEO’s and CFO’s that reductions (often called challenges), to the IT budget have any security impact. Worse, IT is being cut to cover the increasing costs of IT Security. Then the Security group is made responsible for securing an environment that is riddled with technology debt that was created in order to fund security.

The scale will vary based on company size, but here is a common example: An IT group receives a $10-Million-dollar budget challenge. $9 Million of it is used to make up for lost revenue, and perhaps $1 Million is given to the Security group because the company is “pro security”. The result is to build a security program on the top of a rotten foundation. Many CISO’s see the increase of their budget as a success and indeed it is an improvement, but it must be viewed in context.

I’m not claiming that IT groups can’t find ways to do things more efficiently. There are many ways an IT department can reduce costs over time and they should be challenged to do so like all departments. But that isn’t what occurs in most cases. If a company needs $20 Million in reduced expenses to make their numbers, the challenge to IT isn’t whatever makes sense for what opportunities it has come up with. The challenge will be the full $20 Million, with no analysis on what makes sense let alone what the impact is to security. The result will be the introduction of more vulnerability into the system. Worse, especially for those that believe they are masters of Risk Management, the impact will be invisible or at best, improperly tracked or assessed.

In order to break out of the current cycle, we must:

1. Create a flexible budget solution for Security that is not bound by the annual process.
2. Stop looking towards IT to solve short falls in revenue, but instead challenge them to look for savings and use those fund to spend down their own technical debt and then invest the rest in Security.
3. Where the second option isn’t possible, at least recognize the likelihood that a reduction in the IT budget has a security impact and ensure it is properly assessed and added to the existing Risk Management process.
4. Educate the C Suite on the hidden security risk associated with IT budget reductions and add IT Risk to MBA curricula.