To hear some IT security managers tell it, getting money to support security programs is always tough. And in ugly economic times such as these, it is doubly difficult, as painful an endeavor as holding up the earth was for the mythical god Atlas. Some infosec professionals, on the other hand, take a more pragmatic line. They contend that if you can show real business benefits from security programs, then you are far more likely to get the money to fund them. While the viewpoint to tie security projects with company objectives makes a great deal of sense in a world where more business is done via the internet and loads of information is stored on networks, the process of revealing security benefits to C-level executives takes much planning and finesse. Throwing arbitrary statistics about the occurrence of virus attacks or breaches at CEOs or CFOs, without showing how these might affect the business directly, is simply an ineffective way to gain money for various and sundry security projects, say experts. The 'fear, uncertainty and doubt' tactic, better known as the FUD argument, just will not fly in today's financially constrained organizations. "A CEO's focus is not security, it is ensuring that they get the best for their stakeholders, and often that comes down to the bottom line," says Gary Clark, European head of sales and marketing for Rainbow Technologies. "This means that expensive deployments to ensure the security of the company could well be curtailed at the board/ CEO level, as they see the security measures that they [already] have in place as adequate."
展开▼