Four Steps to a Secure Budget

Computerworld - After working as an in-house security manager in the financial services industry for many years, I recently moved to consulting work. This will give me the opportunity to work in a variety of industries (my current contract is with a company in the health care industry) and projects.
I've spent the past few days thinking about the many issues I face, trying to decide which one to discuss in this, my first column. In the end, it was an easy decision: extortion. I'm not talking about preventing employees or outsiders from stealing funds. I'm referring to my ability to "extort" appropriate funding from management.
There are less-cynical ways of looking at the budgeting process, but my experiences over the past few years at different companies have made getting blood out of a stone look simple in comparison.
Many security managers labor under the misapprehension that the budget process consists of working out how much you need, spending a few weeks coaxing your figures into the bizarre formats that the finance group requires, then defending your important projects in meetings. But my successful budgets have been the result of a different process - one in which I laid the groundwork well ahead of time. Here are four steps I follow to obtain funding from that parsimonious corporate bean counter.
Make the Business Case
Start by going back to your security basics and calculating your risk profile. Determine the potential financial loss arising from each of your threats, and multiply that by the annualized percentage likelihood of the loss occurring to get the annualized loss expectancy (ALE). Then demonstrate how much your project will reduce the ALE -- and how much money it will save the company.
Assuming you have a sound business case, document this clearly, explain your reasoning in great detail, and then submit it to the finance people. It will get rejected almost immediately, of course, because no one in finance will understand a word of it. But don't worry; you have to go through this step only to show that you've done your homework and to lay the groundwork for more productive tactics later on.
Introduce FUD
Next, use fear, uncertainty and doubt to your advantage. FUD is the most important acronym to salespeople hawking IT security wares, and you are trying to sell your own IT security services to the corporate bean counters. Sow fear ("Did you hear about that hacker who broke into NASA? I hope that doesn't happen to us."), uncertainty ("Yes, I know we