Enterprise security budgets have always been difficult to justify, and the global economic crisis is making this critical process even more difficult, according to Gartner.

Corporate security professionals face a complex situation as they work with highly constrained financial and staffing resources to manage and mitigate a rapidly changing and expanding risk environment.
“Most corporate IT expenditures are inevitably under intense scrutiny during this period of economic uncertainty and IT security and risk management – although less radically affected than overall IT budgets – is no exception,” says Jay Heiser, research vice-president at Gartner. “The keys to justifying and optimising security spending are to ensure that security and risk control practices are meeting explicit business objectives and, crucially, to persuade the business to take ownership of risk.”
However, Heiser warns that security professional are unlikely to achieve these critical goals if they fall into one of four common risk management mistakes:
* Taking a ‘one size fits all approach to security and risk management – The same level of protection, or the same level of security spending, can’t be simultaneously effective and economically viable for each business unit, much less for every component within a single business unit. An optimal level of security spending takes into account the assessed level of risk, avoiding overspending and overprotection. Business managers should be offered a relatively small number of risk management profiles that are designed to meet different use cases for data sensitivity and risk.
* Making plans based on what the security organisation wants, not what the business needs – Security professionals have historically made technology-centric investment, implementation and deployment decisions based on what they believe is required, rather than on what the business needs. It is impossible to defend security plans, and the budgets they require, if they aren’t based on business objectives. If business managers can’t or won’t provide information about risk significance of their business processes, then high-level managers must step in and mediate.
* Making risk-related communications too complex for the business to understand – Security professionals must develop a consistent way to express and articulate the security-criticality of specific IT systems, information assets and business processes. Gartner recommends a simple three level scale – high, medium and low – to provide a common reference point for articulating the business criticality of IT that can potentially be used for a corresponding set of risk management service levels.
* Allowing LOB managers to transfer their risk to the IT organisation and the IT security organisation – Line of business (LOB) managers are only too willing to take advantage of the IT organisation’s and IT security’s willingness to accept residual risks, making the mistaken presumption that IT’s “standard offering” will effectively address any form of IT risk. Such an approach makes the IT organisation, or the IT security organisation, the scapegoat for security failures and any consequent reduction in perceived service or flexibility. Internal “market forces” can help align risks with benefits, if all systems and information assets are ‘owned’ by specific business managers who are accountable for any failures in security or continuity.
“Simple, manageable risk assessment frameworks, explicit acceptance of residual risk and security service level agreements (SLAs) will make it possible to deliver sound enterprise security, and to defend security budgets against cutbacks,” said Mr Heiser. “The first step that IT risk managers can take towards better alignment with the business is not to treat business managers as a problem that needs to be solved, but rather to regard them as customers who need secure and reliable computing services.”