“These budget items were defined and justified, but ultimately were an increase from the previous year so they were removed from the plan,” the CISO says. “After numerous meetings and explanations, I was able to get agreement to the increase in spending. Even with the proper justification, it is critical for CISOs to help educate the senior leadership on security trends, funding, regulatory issues, etc.”
When it comes to the use of resources such as people and capital, CISOs and CSOs are competing with other business leaders who have different drivers and incentives, Barton says.
“It’s imperative for the CISO community to partner with those business leaders to help them understand the correlation between the spend on information security and how it enables the other business leaders to create, implement and deploy their initiatives in a secure fashion,” Barton says.
With the ongoing shortage of experienced security personnel at many organizations, disagreements over staffing issues are likely to be a continuing source of contention.
“Too many companies make [capital spending] an easy part and make significant investments in new technologies,” says Michael Cook, senior security consultant at GuidePoint Security. “But [they] fail to make the corresponding investments in people, and developing the associated processes to utilize the technology, whether it's monitoring, analysis, investigation, research or security program development.”
The result is that the capital investment is significantly under-utilized, Cook says. “Companies that are hamstrung in their compensation structure, can't get the appropriately qualified people, and end up either doing without adequate staffing, or hiring people who aren't quite appropriate for the role and needs of the security department.”
Cook has seen security directors go back and forth with human resources and compensation officers and get salary ranges increased once or twice, but still not to market level. Then they are told that nothing more can be done and they give up the fight.
“They end up working with what they have been given, and recruiting people in that compensation range,” Cook says. “I can't emphasize enough how this negatively impacts process, and the quest towards security maturity.”
Sign up for CIO Asia eNewsletters.