If your annual cycle matches the calendar year, you’re probably working hard on a 2017 budget proposal to secure the funding for all you need to do on information security, cybersecurity, information risk management, compliance, business continuity and so on - doing it yourself or maybe helping the boss.
Is security awareness and training part of the plan, hopefully not just a single line item but an integral part of virtually everything you are proposing to do? If not, don't be surprised if, once again, you struggle to make much headway in information security in 2017. Security awareness is not just an optional extra but an essential prerequisite for success ... and the magic starts with senior management having sufficient knowledge, understanding and appreciation of what information security is all about to approve an adequate budget.
With that in mind, do you see the conundrum? Awareness is needed to gain funding for ... awareness and the rest of information security. How is that possible?
Here are five possible routes out of the paradox:
- Do nothing - the straw man option. Hope that your budget proposal is so self evident, so stunningly elegant and convincing that management is right behind you all the way. Good luck with that.
- Rely on management's general awareness and appreciation of information risk, security and related matters, since they are business people and these are business issues, right? Errr, maybe, but if you're actually talking about IT security or cybersecurity exclusively, you should not be surprised to find that management believes this to be an IT issue, making it part of the IT budget, meaning that you are hostage to whatever is planned for IT spend. Good luck again squeezing some cash out of the CIO and the IT organization that has its own investment objectives and plans that may or may not truly encompass yours. Worse still, do you see the gaping gap that opened up? What about all the rest of information risk and security that does NOT fall within IT or cybersecurity - including, yes, you guessed it, full-scope security awareness and training?
- Hope that previous awareness activities have achieved their aim, and that management is fully clued-up on this stuff. Perhaps you honestly believe it but, being a cynic, excuse me if I'm more than a little dubious. What makes you so certain that management gets it? Have you already been running an effective awareness program addressing the senior managers making those big budget decisions in strategic business terms that make sense (and if so, how did was it funded)? Or will you concede that this is just another cop-out?
- Just do it, in other words run the corporate security awareness and training activities on a shoestring, eking out whatever funding you can beg, borrow or steal from other areas. Squeeze something out of IT, a bit more out of HR or training budgets. Code it as "risk management" or "compliance". Do the whole thing on the cheap, and yet overspend (then seek forgiveness). This is a surprisingly common approach in practice but it doesn't take a rocket scientist to spot the flaws and the missed opportunities. 'Just do it' implies a piecemeal, tactical approach with little forward planning or consistency throughout the year. You're unlikely to be able to employ an awareness specialist, but maybe you'll cross-charge an IT project for some awareness activities, perhaps stump up for the odd few hours of someone's time to prepare some materials, prioritizing that over funding someone's attendance at a professional security training course, conference or whatever - or not, as the case may be. 'Just do it' programs give security awareness, and information security, a bad name. We can do better than that, much better.
- Quickly plan and deliver security awareness activities specifically targeting senior management - in person - right now. The budget is a classic situation that benefits enormously from leg-work: some quality time spent one-on-one with senior managers, explaining and discussing your proposal over coffee, through email, on the phone or even snatched moments sharing the elevator to the exec suite, patiently listening to their queries and suggestions, and addressing their concerns, will pay off handsomely in due course when the budget proposals are duly considered. Start by thinking and talking seriously about how information security supports the achievement of business objectives. Look carefully at the corporate strategies and policies in this area for the security hooks. Go beyond the obvious compliance imperatives to find business opportunities that revolve around both protecting and exploiting information - BYOD, cloud and IoT security for three very topical if IT-centric examples. Find someone in Finance to explain the budgeting and forecasting process and help you craft an even better budget proposal, with clear objectives and measurable targets (yes, security metrics). Get the CIO, CLO, CRO and other key players on-board, for sure, and preferably others too. Identify the blockers and dig your secret tunnels under them. Build alliances and collaborate to accumulate. Sell sell sell.
By the way, option 5 is what your more politically-savvy 'competitors' in the budget race will be doing too. It's all part of the game, whether you call it awareness or schmoozing or persuading, even social engineering. For bonus points, find out what works for them and emulate the most successful ones. Why is it that Ed from Engineering always gets his way at budget time? What makes Engineering so special? Is it, perhaps, the way Ed puts it across as much as the literal words in the proposal ...?
Oh and keep notes for next year's budget rounds in the hope of making an earlier start and a better impression!
PS In the unlikely event that you find yourself long on funds and short of time, we can help you spend whatever's left in your 2016 information security/awareness and training budgets to avoid the dreadful shame of handing it back ... with the risk of a corresponding budget cut next year. Seriously, let's talk.