The following article is one of my weekly papers for my MSIA degree at Norwich University.
Funding Security Projects
Getting Security Projects Funded in Small and Medium Businesses
This report will examine the process an information technology (IT) employee working for small and medium business (SMB) might use to gain funding for security projects. This process could also apply to an IT or information security consultant hired by a SMB.
SMB IT Organization
SMBs by their very definition are small organizations. Consequently, SMBs typically lack dedicated staff to perform IT or information security (IS) tasks and many times SMBs choose to outsource these functions to a service provider. However, the process to gain funding for security projects should be nearly identical, regardless of whether the IS function is performed in-house or outsourced.
Funding Challenges
SMBs can also present a challenge regarding operating capital. According to SCORE, half of SMBs fail in the first five years. Based on that statistic, it is not surprising that the owners of a SMB are concerned about survival first and foremost. The IS employee or consultant must understand this environment if he or she hopes to gain funding for any security project.
Funding Process
The process for gaining funding for IS projects begins well before there is a need to request funding. The process begins with the IS professional learning the business. Security analyst and author, Mike Rothman, wrote, “Unless you understand your business, you can’t understand the leverage points that will appeal to the business leaders. Read your annual report. Understand how your senior team is bounced. Find out who will get fired if a system goes down.” In other words, learn the pain points. Find a way to help to solve problems.
Become a Valued Advisor
The SCORE website quotes the results of a survey conducted by American Express that asked where small business owners go for advice and these were the results:
- 52 percent from individual mentors
- 51 percent from social networks
- 44 percent from trade associations
- 36 percent from business advisors
- 31 percent from the Internet
- 27 percent from Chambers of Commerce
According to this survey, business owners are asking their friends for advice. Only 36% of the respondents asked their business advisors for business advice. This is an opportunity for the IS professional.
The IS professional has the opportunity to be viewed as a professional specialist on par with a lawyer or accountant. Business owners and management often do not know the answers to IS related problems, but they do tend to understand risk. Learn to speak to the business leaders in their language. Explain the risk associated with using group passwords or of not performing a basic background check on a candidate for employment. Explain how to reduce or eliminate risks and fines by shredding papers that contain personally identifiable information (PII). A business owner understands that a fine for every leaked data record may put the business into bankruptcy, but he or she may not understand that it is “best practice” to shred papers that contain sensitive information.
Governance and Compliance
SMBs can be subject to governance and compliance as well. These are IS related issues and the IS professional must know which governance and compliance rules to which the company is subject. Examples include:
- Sarbanes Oxley (SOX)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS)
- State and Federal data breach laws
In this case, the process for funding is fairly straightforward; the IS professional works with the company’s risk council if they have one, or with the company’s lawyer and top management if they do not. The IS professional would review the governance and or compliance rules with the team, and would make specific recommendations including:
- Costs – both capital and operating expenses
- Project timelines
- Risks – accept, transfer or mitigate and the costs associated with each
The IS professional that follows this process is speaking the language of the business leaders. They are speaking in terms of governance, compliance, risk, and managing risk. These are terms that are very familiar to the business owner and manager, and they can make decisions based on what is presented to them. If an IS professional presents the same information in terms of fear, uncertainty, and doubt, the business leader may have a more difficult time making a good decision.
Conclusion
The IS professional must realize that they are performing a vital business function only if they become integrated with the business. They must understand their business, the governance and compliance rules under which the business operates, and understand the problems the business is experiencing and how they can solve those problems. If the IS professional understands these things, they will have success in getting security projects funded. Conversely, if they propose security projects that do not solve a business need or if it is presented in a way that does not make it clear that it solves a business need, the IS professional will have a difficult time gaining funding for their projects.
Bibliography
“Small Biz Stats & Trends”. SCORE. 1/9/2010 <http://www.score.org/small_biz_stats.html>.
Rothman, Mike. “Guerilla Security Leadership”. FUDSec.com. 1/9/2010 <http://fudsec.com/guerilla-security-leadership-0>.
