Report Launch: Security Managers lack influence over the security budget; and how to remedy that
Today the latest report from the Security Research Initiative is published – ‘The role of security in influencing the budget’.
The aim of the research was to explore the extent to which security managers are able to influence the security budget, whether and why this matters, and how greater influence can be attained. It is based on the views of security professionals from both in-house and contract positions (predominantly those currently in a ‘security manager/director’ type role), collected via an online survey and in-depth interviews.
- 76% agreed that being able to influence the budget is key to delivering good security.
- Influence over the budget was considered important for several reasons including: giving status to security in discussions with other departments enabling security advice and proposals to commonly be listened to; and being able to direct the allocation of resources using relevant expertise.
- A lack of influence meant that security managers could not: purchase basic and essential resources; plan effectively; and resulted in security decisions being made by non-security experts.
- 51% of respondents in a current security management role had a high level of influence on the budget; 10% were ‘not involved’.
- 46% of security managers/directors thought that their current budget was ‘insufficient’ (42% thought it was ‘sufficient’). Unsurprisingly, those with the highest levels of influence over the budget were the least likely to view it to be insufficient.
- Reasons for the budget being considered less than required included: the budget allocated did not reflect the risks faced; and did not cover key areas such as training, travel, basic equipment, contingencies; teams were understaffed; rising costs not covered; and being asked to provide more for less.
- The chances of being allocated an appropriate budget was improved if: the security function was seen as core to business (86% agreed); an organisation understands its security threats and risks (85% agreed); the security team has a high status (83% agreed).
Research participants highlighted a number of ways in which security managers can become influential for example: relating security spend to reducing business risks and improving operations; highlighting the dangers and risks in not meeting objectives; ensuring the risk owner understands and accepts the implications/risks; using data and ensuring arguments are evidence based; and by linking physical security spend to cyber security (where this is viewed as a greater priority attracting a bigger budget).
Overall, the work underlines the importance to security professionals in being able to influence the budget, and the barriers in being able to do so effectively.
Professor Martin Gill who led the research noted:
‘Based on our sample, it is striking that so many security managers do not have the desired level of influence over the security budget, and that so many consider their current budget to be inadequate, especially given that having influence was widely considered to be key to delivering good security. In the current climate of economic uncertainty, recruitment challenges, cost of living increases, and budget cuts, the advice offered by our sample should be heeded.’
The report is available to download here
The SRI members that sponsored this piece of research were: