Budgets are integral to every business. The start up’s business plan has to include budgets and the multinational will have an entire finance unit geared around making sure that every year the numbers are crunched, and budgets allocated.
At a very fundamental level, a budget allows businesses to grow. It allows them to develop without going bankrupt. It mitigates the risks from excessive or wayward employees. Possibly most importantly, budgets can limit financial exposure and ensure that the company can continue to pay dividends.
This is good. This is all good.
This is also essential for business security. Without defined budgets, it is impossible for a company to even know if it is overspending, or taking too much risk, and this seriously undermines security.
Unfortunately budgets frequently develop a life of their own. As organisations grow, so does the budget and so does the complexity. This is where, suddenly, your budget strategy can start to work against you.
For start ups, it isn’t a problem. Most of the time, the financial data will be theoretical and simple. The budget is there to get funding and it is all controlled by one business.
As businesses get bigger, one of the first changes which happens is creating different “business units” or budget categories. This can be hidden under lots of different names (cost centre, billing unit etc), but the effect is the same.
It is easy to see why businesses do this. Having separate budgets for separate functions helps focus spending. It also helps identify weak / strong parts of the business.
The problem is that security is all encompassing but organisations create “security” budgets. This can create a major risk.
When budgets create risk – cutting costs
For most managers with budget responsibility, certain mindsets evolve:
- Budgets should be reduced whenever possible, often every year.
- Any budget not spent is lost in subsequent years.
- Subordinates who come in under-budget get rewarded (but the budget is reduced each year).
- Subordinates who increase budget are penalised.
In very basic terms, this makes sense. The idea is that it increases efficiency and rewards innovation. These are good traits.
It also means that business units become very focussed on what “rewards” them specifically and what they have to pay for. This is still good.
Where it goes wrong is when one cost centre realises it can cut costs because any impact will be carried elsewhere. This is a double-whammy for the business itself, not only will the impact be felt somewhere, but the person leading to this gets rewarded.
As mentioned before, security is really everyone’s business but gets parcelled off into its own department. Oddly, IT Security seems to be the worst affected by this, frequently seen as an unwanted part of IT rather than an essential business enabler.
By creating departmental budgets, your organisation may be unwittingly encouraging people to undermine security. Is this really what you want?
Security-damaging budgets – case study
In the last two months, Halkyn Consulting has worked with two organisations who have suffered from this. Both encountered costly security issues which arose from the application of discrete budgets. Both had very good security teams, who we assisted in developing improvements. Both could have saved significant amounts of money by not cutting budgets earlier on. Both rewarded the personnel responsible for the savings but had no mechanism to hold them accountable for the costs.
Just to reiterate: Both companies implemented “savings” which led to the overall organisation losing significantly more than they saved.
To explain this, we will use one of the clients as a case study into how budgets can bite.
Case Study: National business services provider.
Our client had a well developed IT infrastructure supporting 24 office locations across the country, a single data centre and a large field sales team. The sales team were entirely reliant on portable devices. The organisation took its security seriously and has a well resourced IT Security team. All is good so far.
The cost of purchasing mobile devices was taken from the regional sales teams budgets. The cost of responding to security incidents was taken from IT Security. The cost of managing security infrastructure was taken from IT Security.
About 24 months ago, a well meaning sales executive saw a way to reduce costs. The sales teams were purchasing “approved” devices which were built to meet the IT Security requirements. It turned out to be a lot cheaper to let users bring their own devices (BYOD) or purchase more basic ones off the shelf.
In all, the sales executive shaved approximately £150,000 off the costs of purchasing assets. This aligned to a major move towards mobile technology and data sharing applications.
The problem was that now, the IT Security team had little or no control over what was happening. Worse than that, the IT Security team had no knowledge of what was happening. The move to BYOD was done in such a way that monitoring was removed and after the first wave of new devices, no one even thought to engage the IT people.
After a few months problems started to occur. Malware was on the rise. Users were falling victim to phishing attacks. Devices containing commercially sensitive data were lost.
In hindsight, the increase security costs in responding to these incidents was assessed to be £170,000 in the first twelve months alone.
Then a pretty nasty bit of malware hit. One of the field sales team was hit with malware. This then sent emails to everyone in his address book and the vast majority of users became infected and started sending outbound spam. Now, the field sales team were, in effect acting as a massive criminal botnet. More than a few users were then hit with ransomware and critical data was encrypted. As a final nail, only now it was discovered that the users with trendy BYOD devices didn’t have centrally managed backups and the data was irretrievably lost.
The final assessment was that in the 24 month period, security incidents had cost the company a total of £385,000 in direct costs and an unknown amount of lost sales.
Because of the company structure, however, the costs were carried by the IT Security department and the savings were carried by the field sales department. The executive who led this change was rewarded with a large bonus 18 months ago and left the company 12 months ago.
The bottom line? The sales executive was rewarded for losing the company over £235,000 simply because the budget structure made it initially look like a saving.