The art of budgeting:
How to ask for money for information security

All great ideas ultimately regress into budgets. That is the cast-iron law of corporate and governmental conduct. It particularly applies to all matters of the technological persuasion. It guides any pleadings to spend on information security. Information security programs will choke without an adequate and steady supply of cash. That is just like trying to live on rarified oxygen. The difference is that a strangled information security program is not only dangerous but can also produce unpredictable consequences costing far more than anybody can imagine. Therefore, the art of securing money for information security is perhaps the most important skill if you are to safeguard the information assets of an organization.

This story is a sequel to what I wrote at the end of September for SearchSecurity.com. I explained that you do not apply the same logic as when asking for protection against a bank hold-up. Just consider that your networked information systems contain thousands of cracks open to electronic intrusions. What you most likely have are millions of lines of shantytown quality codes, mostly exposed to destructive infections. As compared with your problems, the job of securing a brick bank building is easy, except that your budget-time examiners will continue to reflect a banker's mentality. That's why trying to get money for information security is tough.

In the preceding story, I explained that you must start the budget-pleading process by following the principle: "If you wish to justify it, you must be able to value it." I pointed out that the information security business is actually a peculiar form of an insurance business where the worth of the insured property must be set before you can start talking about the insurance premiums. That leads me directly to the next steps in the budget justification process: How do I explain the inherent risks I am supposed to protect against?

Step #3: Security risks from compromised hardware and communications

Chances are that the flinty-eye financial experts who must pass over your requests do not have much of an appreciation for the improvised characteristics of your server, modem, router, desktop, laptop and palm-top configurations when they are all strung together. Your inquisitors will find it incomprehensible to imagine all of the combinations of snafus that can occur when you make it possible for your consultants, customers, suppliers, temporary workers and workers-at-home (including their occasional surfing teenager) to plug into your network. The mentality you must overcome is one that still sees computer network security as something analogous to protecting a hard asset. The idea that all that you need is a fortress never goes away. It is very hard to get across that there are no fortresses where you can pile up your information assets. What you are trying to do is to protect tribes (sometimes wild) wandering through a jungle.

The last thing you should ever to do is try to "educate" your audience. By the time you get to your 60th slide your listeners' eyes will glaze over. The best you can accomplish is to extract token funding that is sufficient to shut you up.

My advice is that you should take everyone for an excursion through a listing of the latest security infractions. You must do this in the most gory detail possible, explaining for instance how one of the central routers, while under emergency maintenance by the vendor, left the president's e-mail naked to examination. After you do a few of more of such autopsies, preferably affecting the individuals in the room, everybody will get the message. To get your point fully across you can then cheerfully conclude that what you displayed was a poor sample because your information security spending is inadequate. Tell them that when you find five cockroaches in a basement you can be certain you may have hundreds!

My "cockroach" demonstration method always works, but is risky. It will be like spitting into a soup prepared by a gourmet cook who happens to be your cousin. Your position as a person of integrity, of independence and with good job security must be unquestionable. Under no circumstances can you pull this off if you report to anyone who may be accountable for the goofs that you have paraded before the moneybags. You will need partners who will share whatever you will be getting. Make sure that under the title of "security" there is also money for fancy new black boxes for those managers who can excuse their lapses by not having those.

Step #4: Security risks from compromised software

Trying to explain the security vulnerabilities of Microsoft NT is even more hopeless than trying to explain why only one modem in a huge network is sufficient for total corruption of everything. The simple fact is that software security risks are largely a matter of faulty design. They are largely committed errors, not mishaps. The widely accepted fiction about software failures is that they originate from unscrupulous and undesirable nerds from Mensa. These perpetrators prey on scout-like, well-meaning Joes trying to make a decent living as computer professionals, the best they know how. Nothing could be further from reality. It is the Joes, especially undisciplined programmers, software contractors and software vendors, who try to rush a software patch into a computer in order to fix something that does not work or to be able to collect for it, or both. If you get a chance to talk to hackers, they will tell you that their craft depends on exploiting known gaps in poorly constructed computer programs. Professional hackers exude with pride in showing off how the stupidities of their better-paid victims make their exploits feasible.

To secure the crumbling footings supporting your software shantytown requires funding that should not be peddled as "information security" but as "independently verifiable software engineering." Your principal effort should be to instill into your software sources the fear that their transgressions will be always noted and never forgotten. Your executive management should see you as the supreme Auditor that safeguards their shareholders' interests and not as just another short-tenure techie who speaks incomprehensiblese.

When it comes to budgets, you should realize that management rarely debates well thought out money requests from the Comptroller and the Auditor (or Inspector General). The designation for such classes of people is that they are "fiduciaries." Well, it will ease your budget-period pains if you can clothe your information security budget requests into such packaging.

For another installment of budget survival instructions, please tune in next month. December is hacker-month because kids are on vacation and nobody talks budget X-mas time!

For the next installment of budget survival instructions please tune in next month.
Last month's article is available at strassmann.com or searchsecurity.com.

About the author:

Paul A. Strassmann (paul@strassmann.com) has served as chief information systems executive started in 1957. Since his "retirement" in 1993, he has continued engagements in matters related to information security.