The Ins and Outs of Budgeting

Andrew Wild, CISO at QTS Data Centers, sits down with Steve Moore to talk about IT security budgets, the challenges of prioritizing resources to balance risk and the value of cooperation.

IT Security Budget

Managing an IT security budget isn't just about spreadsheets and internal procurement processes, it's about understanding your organization's business priorities. Add to that, the management of your vendors and VARs with which you work. A CISO's focus is to protect the organization and measurably reduce risk, which often requires the acquisition of technology. However, those decisions aren't just about tech. There's a lot of management planning that must occur. The combination of transparency, forecasting and relationship building is good for business.

Challenges of Prioritizing Resources to Balance Risk

Anyone that aspires to have a more senior leadership role in an organization, needs to understand how things are budgeted and financed and paid for.

Look at the amount that was budgeted in previous years and what was actually spent. Sometimes that is a way to glean some insight into how well that role is functioning. In some cases, an organization may be growing so fast that you or your budget is continually being adjusted upward which can be a great thing. An indicator perhaps of some issues either in execution or enough resources to execute would be if the amount that was budgeted exceeds by a not insignificant amount the amount that was spent.  If you're not spending everything that you were allocated, that's an indication of a problem within the organization.

The Value of Cooperation

In the information security arena, there is very little that the information security team itself is able to accomplish without support across the organization. The infosec team is leading part of the effort, but there's always another team that's needed, whether it's the team that's racking the hardware. Whether it's the team that's going through and supporting you in the procurement process. Whether it's the legal team in terms of contract reviews. You are, to a very large extent, dependent upon other organizations to be able to accomplish your mission.

It's important to try to learn how the procurement process works. What is the mechanism through which the value added resellers, the VARs, are selected, do you have the ability to influence which VARs you will get to work with for your information security solutions and services.

It's not always just about within your organization too. It's about how you work with both the vendors and the VARs. Be considerate of the fact that the vendors and VARs work on a forecasting model where they have to be able to, with some level of precision, predict when opportunities are gonna close. Be up front and be transparent.

What is Being Forecasted?

In any kind of a sales organization, the organization expects to be able to know what kind of transactions are gonna happen, what opportunities have been identified and that there is a definite progression through the sales process or the funnel as some people call it, where an opportunity for sales is identified--there's a need, there's a solution developed. People depend upon being able to plan because that's how companies be able to better plan and meet their numbers particularly if it is a publicly traded company.

What Makes a Good VAR?

Someone that has likely either deployed the technology in their own environment or has deployed it in other customer environments and knows the solution it sells, and they're almost an extension of the company's sales engineering team. VARs will provide some very valuable information that you might not get working directly with the company itself.

A Better Relationship with Sales

Go talk to people outside your organization. It can be very inspiring and helpful. It can also potentially lead to new opportunities. If you don't interact with people, it's really hard to be able to plan out your career. Either to know what you're interested in, or to become aware potentially of opportunities. It’s really about engaging with the larger part of the organization, recognizing that at some level, every member of the organization is a representative of that company, and is in some way assisting the organization in achieving its goals. Whether it be directly, through supporting the sales process, or cost management, or getting a project done on time or early.

Growth of the CISO Position

It's certainly getting bigger from a risk perspective.  It's becoming a larger position because it's less focused on just implementing technology and more focused on managing business relationships and identifying and guiding an organization through the navigation of risk management.

Resources:

Exabeam - Website

QTS Data Centers - Website

Steve Moore - LinkedIn

Andrew Wild - LinkedIn