Most security leaders can identify with one of the following budget scenarios. Not all, however, will recognize the interconnectedness of the three. Can you?
Scenario 1: Company-wide budget cuts are on the way. You find an opportunity to defend your security budget in front of senior management, but you only have one day to prepare. The criticality of your security services seems crystal clear to you, but will it be to your CFO? Are you confident that you have the documentation, verifiable data and business unit support that will convince him/her that your function should be a high-priority investment?
Scenario 2: Budgets have been sliced across the board. You have five days to cut 9 percent. Do you know where your flab is? Can you say where your program transitions from mission-critical to “nice to have” without hesitation?
Scenario 3: Your company is booming, and you don’t anticipate a funding crisis in the near future. Security’s budget is safe, but what are you doing with it? Do you know exactly where the money is going, and can you make a case for each expense? Do you treat the budget as “your money,” or “security’s money” — or do you treat it as the company’s money, and view yourself as the steward of it?
So how are these three scenarios interconnected? It comes from your knowledge that:
• Responsible daily management is the only way to prepare adequately for budget defense — last-minute efforts will largely go unrewarded;
• Finding 9 percent to cut relies on an existing knowledge of where the money is going and what value each expense has for the organization; and
• If security manages its budget responsibly and proactively, then cuts and defense may not become necessary.
This article will not delve into the nitty gritty of how to budget — after all, budgets are handled differently in every company, and the security leader will be required to follow the company norm on the specifics of the process. Rather, this is an outline for a foundation that can be laid beneath any security budgeting process to help enhance efficiency and effectiveness and perhaps, in the long run, even help position the security leader for advancement.
Catalog Services and Cost
The first step in managing a budget is knowing what services the funds will have to support. This may seem simplistic, but it is a step many security leaders cannot complete without a great deal of thought and research. Being new to the position is one common reason for this difficulty, but there are others. When security programs grow organically over time, it can be hard to keep track of added services without concentrated and continued effort. The same may be true when security leaders must quickly develop their programs based on what is required by regulators or management to provide.
Security and risk management operates across other business functions up and down the organization. It is a complex function, and in many companies large and small, security’s work extends well beyond the barriers of “security.” Because of this, cataloging services can be challenging, but all the more necessary. If the security leader cannot point to a file, document or presentation that clearly states exactly what the function is doing, the rest of the business will not fully appreciate the breadth of services offered.
Once services are cataloged, the question becomes “What do these services cost?” How many full-time employees and contract staff are dedicated to each service? Is there staff outside the department that participates as well? How many hours do they spend on that part of their duties? What technical or material resources does the service require, what does upkeep and maintenance cost, and what is the price of purchase or planned replacement (both within and outside the department)?