Because many organizations are beginning to wrestle the funding beast at this time of year, I thought I'd focus this post on the question of "appropriate funding."
Management Doesn't Get It
One of the arguments I’ve heard folks use to dismiss the notion of a risk-based approach to security is that it’s been tried and failed.
The argument goes on to claim that it isn’t possible to get appropriate funding for security because management just doesn’t “get it”. And, while I agree that many (most?) past attempts at risk-based security have struggled, I’d submit that it was because the methods used didn’t address risk effectively. They often focused solely on worst-case outcomes (which is the Chicken Little problem), didn’t apply any rigor in determining risk, simply focused on vulnerability (but called it “risk”), or treated the problem as a possibility issue versus a probability issue.
Do We Get the Business Perspective?
Of course, any discussion about funding begs the question of what constitutes “appropriate funding”. It’s naive (or arrogant) to believe that I – as risk management professional -- am in a position to understand the incredible mix of business issues that determine the right risk-balance for an organization. Running a business requires weighing the various risk-domains management faces (investment, insurance, product, market, security, etc.) as well as complex value propositions in light of the organization’s objectives and limited resources.
And, while it’s imperative that risk professionals seek to understand the business side of the equation, we are never going to have the same breadth and depth of vision into the organization’s unique mix of business issues that executive management has. Combine that with the fact that it isn’t our personal risk tolerance that matters, and it should be crystal clear that complaints of being “underfunded” have to be cast in the light of “Compared to what?”. Compared to what we think it ought to be? Compared to some industry baseline of questionable applicability to our particular organization?
Of course, as a CISO I struggled to get management support for years. I tried leveraging fear, uncertainty, and doubt. I also tried the old “You have to do it because it’s best practice” card. And although both of these can work for awhile, at the end of the day, management’s perspective will likely be that you’re paranoid and you lack perspective about the nature of running a business. As a result, over the years I’ve come to the conclusion that if I believe I’m underfunded, then it’s likely that:
- I haven’t done a good job of communicating risk to the business,
- I don’t sufficiently understand the risk tolerance of the organization’s leadership, and/or
- I don’t understand the mix of competing risk issues, resource limitations, or business objectives.
Delivering High-Quality Risk Information
It’s my responsibility to see that I’m not underfunded by providing high quality (unbiased) risk information to management. If I do that, then I can expect to receive an appropriate level of funding, given the other business considerations management faces and their risk tolerance. The funding may be less than I’d like given my risk tolerance, but that’s a personal problem.
Frankly, after taking a risk-based approach to my job, I had very little difficulty getting management support for the stuff that matters most.