Security Budgets and the Risk Tolerance Question

We’ve all been there. It’s annual budget time and we are told that belts are tightening and we have to cut costs. Where does the finance organization look first for savings and what is their risk tolerance? That’s right… to the functions within the organization who do not contribute directly to the bottom line.

So what’s a security professional to do when you are already operating a lean organization? You are protecting your company’s assets the best you can? And you still are being asked to perform better with fewer resources? In this article Rachelle Loyear discusses a few options for helping you meet the financial pressures of the organization while not going outside of the risk tolerances set by your management team.

Set Risk Tolerance?

Yes. Your Organization’s identified security risk tolerance. Step one in the security budget process is to understand that it’s really not your budget that finance is thinking of cutting. It’s not your risk that is going to be increased if activities that mitigate those risks are reduced. Both the risk and the budget belong to the entire enterprise. It is the business’ mission and goals that are at risk in this conversation. So before you can defend a security budget position, it’s critical that you understand and have some executive agreement on the level of risk the company is willing to accept.

In a previous blog post, I wrote about how best to communicate security risk to executives. In that article you will find some ideas for how to understand your company’s acceptable security risk profile. Once you have an understanding of which security incidents your company cares most about mitigating, and which resources they consider most critical to protect, you have the beginnings of the conversation about the required budget.

Avoid the knee-jerk reaction to “cut your budget”

Being told to “cut your budget by 20%” can be a shock to any functional leader. Our natural reaction is to deny the possibility. We tend to find ways to avoid the cut if possible. Instead of avoiding the cut, try saying “yes” and then seeing what you can do about it.

One workable approach is to say “Sure, let me see what I can do. I’ll get back to you in a couple of weeks”. Did you just promise finance you’d cut your budget by 20%? No. But you did clearly communicate that you will look into the request and find potential ways to meet that request. The willingness to engage in the exercise, and look into what can be done, sets you up in an active and engaged partnership to find savings. You should be mindful that the money being spent is being spent for a reason – to protect company-critical resources. You cannot simply reduce those protections without thought and examination, and agreement from the business executives who set the risk tolerance in the first place.

Who “owns” the risk exposure when security is cut?

The main reason that neither you nor the finance organization is in a position to agree to a cut in the security budget is that neither of you is the owner of the risk. The security risk is owned by the business owner of the resources that are going to be exposed to loss if the protections placed on them are altered. While it’s entirely possible that they might find the additional risk acceptable, they cannot be left out of this conversation. As the security expert that they rely on to manage their security risk, it’s critical that you engage those business owners in the conversation.

Tying your budget to resource protection and risk mitigation activities

With the assumption in place that you have already been working with your business partner on understanding their critical resources and their capacity to tolerate risk, there’s an exercise that you can do with your team that will help with the security budget discussion.

First, you need to understand all of the mitigating activities that are performed across the enterprise. You need to then to do an assessment of the risks they are mitigating. Following this you also need to be clear on what resources are being protected.

Next, ask the person in charge of that activity about what would happen to the level of risk to the resource if they were to cut the mitigation by 10%? >20%? 50%? At a 10% cut, can they still provide the same protections? At 20%? If not, what is missing? What is the exposure? At 50%? At what level do you reach the likelihood of an impact to the level of risk mitigation that you have agreed to with the business owner?

Risk tolerance and negotiating a budget

Once you and your team understand the potential impacts of cuts, it is time to engage the business owners. Engaging the owners allows you see if they feel the level of risk mitigation is acceptable to them. If the answer is yes (at any of the levels), that they, as the leader of the function that is exposed to the risk, are okay with the change in their risk profile, then making that cut to the budget is a business decision that you can report back to the financial team. Easy enough. If, however, they are not okay with it then you need to go back to the budget team to renegotiate. You then need to explain the need to either not cut, or reduce the requested amount of the cut. The business leader who can explain the real, tangible impacts to the business can then explain the reasoning(s).

When you take this approach, it allows you to show the finance team that you have “done your homework”. This approach also shows that you are being careful with the funds you are given on behalf of the organization. In reality it is your business partners, who are asking that the organization spend the money.

Most critically, though, in this situation, it is neither you nor the finance department who are making these business decisions about risk… it’s the impacted business leader.

The security budget decision / outcome

It’s important to note that this approach may or may not result in a budget cut. You and your business partner may find that leaders in the organization, understanding the potential impacts, still choose to ask for cuts. It may be that a different level of budget cut is made, leaving the mitigation plan reduced but still somewhat in place.

Even so, this is a more successful outcome for the security function, because the exercise has framed the discussion in business terms, and the expectations are set and have been communicated to all decision makers on the new level of risk exposure and expected potential impacts due to the lessened level of protection available. Why is this better? Ask a business leader… are they okay with risk? The answer will most likely be yes. Now ask them… are they okay with surprises? I bet you get a different answer. This approach to the security budget cut conversation ensures there are no surprises. It also informs all participants that there is no need for the “blame game”, if security is impacted.

About the Author: Rachelle Loyear

Rachelle Loyear is the VP of Integrated Security Solutions for G4S Americas. In this role, she leads the G4S Security rachelle-loyear-rothstein-publishingRisk Management and Integrated Practices management office, helping G4S customers take advantage the powerful risk management business approach as part of their holistic security programs. Rachelle has spent over a decade managing programs in corporate security organizations.

Focusing strongly on security risk management, she has been responsible for ensuring enterprise resilience in the face of many different types of risks, both physical and cyber. Rachelle is PMP, CISM, and MBCP certified. She is currently active in multiple security industry groups. Rachelle also volunteers as the program manager of the Enterprise Security Risk Management program management office at ASIS, International. Additionally, she is the author/co-author of three books in the security risk management subject area: Enterprise Security Risk Management: Concepts and Applications; The Manager’s Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security; and The Manager’s Guide to Simple, Strategic, Service-Oriented Business Continuity.