How to get your share of the budget for your IT security needs
- Author: Mike Vandiver, Chief Financial Officer
As the CFO of an IT security company, it’s been my experience that many IT professionals don’t get the money they want to secure their system for one simple reason: they haven’t learned to communicate effectively with their CFO. To solve that problem, I share with my own staff seven simple rules that I’ve learned smooth the budget process for both sides. You’ll find among them insights about what I look for in a budget, what makes me say no, and what makes me open my candy jar. You’ll also find that if you follow these rules, you will--more often than not--get your share of the budget for your IT needs.
Rule #1: Communicate early and often
If you know you’re going to have a need in the coming months, tell me now. I am constantly budgeting, and maintain a detailed 12-month rolling forecast that I update every month. If you let me know your upcoming needs in advance, you can take advantage of the process.
How early? For major purchases, let me know six months prior to the cycle; for less important expenditures, give me one or two months notice. Provide quarterly updates when possible, and remember: persistence is important. I may deny your initial request, but if you come back with more information, I’ll know you’re serious and will be more likely to listen.
Rule #2: Speak the language
Try not to sound like a computer manual or an auditor’s handbook when you talk to me. If I walked into your office and started talking about NPV, quick ratios, or double-declining balances, you’d look at me like I was out of my mind. Save the conversations about phishing, patching, sniffing, spamming, and spoofing for your staff--and when possible, avoid technical acronyms. Translate the technical requirements of security into the business risk you are addressing and express your goals in business language: assets, vulnerabilities, risks, and ROI.
Rule #3: Know the business situation
Some IT managers take last year’s budget and make it the basis of next year’s proposal. But times change, and so should budgets. Before you make a request, know the situation we’re operating under. When times are good, I’m more likely to spend money on those things that would be nice to have, but aren’t necessities. But if times are tough, don’t show me a 7-item budget request list with only two must-have items. I won’t look at the list, and you won’t even get the two items you needed.
Knowing the business situation also means taking into account external (non-IT) forces that can affect your decision:
- Market penetration plans
- Changing industry practices or regulations
- Contractual obligations
- Existing organizational policies
Rule #4: Be a straight shooter
It’s essential that I trust you with budget requests. A budget is a framework for spending; it’s not a checkbook. Cushion destroys your credibility. A person who is notorious for budgeting double the amount of what she really needs puts the bank’s financial decision-maker in a corner. Submit a realistic budget and communicate any “gotchas” to me in advance so we can work together to build in contingencies.
Rule #5: Pass the weight test - be prepared
I look for evidence that you’ve done your homework before you’ve submitted a request.
- Get your numbers straight. Nothing destroys credibility faster than details that just don’t add up.
- Justify the decision. Identify those factors (e.g., price, functionality, SAS 70 ability) that led you to choose the recommended solution.
- Include ROI. Determining ROI can be difficult, especially when dealing with IT and IT security. But it is possible—if you calculate the cost of any security breaches you’ve had in the past year.
- Calculate time spent repairing the problem
- Translate internal time lost to cost of hourly wages and benefits
- Estimate impact of network downtime
- Consider customer impact, including business lost
Rule #6: Don’t create surprises--not even good ones.
What keeps me awake at night is the fear of failing to control the business. Frequent surprises are a sign of poor planning or poor execution. Bad surprises mean someone didn’t do his job; good surprises mean someone didn’t plan properly. I rely on the forecasts of my salespeople for many of my decisions, and if those numbers are off—even in a positive way—it wreaks havoc with the budget. It also shows me they’re not handling the business properly. If you see changes (whether good or bad) down the road, adjust your forecasts accordingly.
Rule #7: Wear your company hat.
Know your objectives, and understand how they fit into corporate objectives. If you don’t know, go ask! You’re doing yourself and your organization a disservice otherwise. And finally, as has often been said, try to spend company money like it’s your own.
In the end, you may not win all of the budget battles if you follow the rules, but you’ll win most of them. CFOs and IT managers live in different worlds: yours is one of many 0’s and 1’s, while mine is a world of 1’s and (hopefully) many 0’s. But those who are able to bridge that gap are more frequently the ones who get their share of the budget at approval time.