Avoid Security Spending Fatigue

Computerworld - Xerox Corp. takes information security pretty seriously. It regularly conducts network vulnerability scans, as well as corporate audits of its risk mitigation efforts. A compliance program buoys employee awareness of its security processes -- as well as its disaster recovery, information privacy and Sarbanes-Oxley Act policies -- and an executive board champions adherence to them all. Meanwhile, the security budget at the Stamford, Conn.-based company is holding steady compared with last year, even as its other IT spending is down.

And yet, as Xerox Chief Security Officer Audrey Pantas says, "you never get as much you'd like -- you could always do more." And that sums up the mind-set surrounding IT security at corporations today: No matter how much money you pour into it, you'll always need to go back to the well.

With growing threats, increased regulations and plenty of media coverage when incidents do occur, executives have never been more aware of the importance of IT security. At the same time, spending fatigue may be creeping into the boardroom, as CXOs increasingly look for the business value earned on the security dollars spent.

"Senior management knows there's a problem, but it seems that every day the problem gets worse, and it's like there's no end in sight," says Robert Charette, director of the enterprise risk management and governance practice at Cutter Consortium, an IT consultancy in Arlington, Mass. "There's the feeling that they could give security every single penny and it still wouldn't be enough."

To keep the security budget from looking like a black hole, you need to articulate the value of the money being spent. Here are some do's and don'ts for doing just that.

Don't Use Scare Tactics

Every day, it seems, a story emerges about a backup-tape theft or compromised customer data. But don't overuse these incidents when seeking to justify your funding requests. "CXOs can become desensitized or jaded if they hear too much about reports that they don't think affect them," says Christopher Bomar, founder of Boomarang LLC, an online data-backup service firm in Cincinnati.

"FUD has been used up," agrees Mark Rhodes-Ousley, an information security architect and author of Network Security: The Complete Reference (McGraw-Hill Osborne Media, 2003). "So many people have cried wolf that executives are inured to scary stories."

You might, however, consider using recent security incidents to shed light on your company's needs. For instance, you can send out regular e-mails that put news stories into perspective and show how they apply -- or don't -- to your business, says Bob Dehnhardt, network and information security manager at TriNet, a human resources services firm in San Leandro, Calif. "You can use these incidents as an opening, but back them up with a strong business case," he says.