Security managers often have a difficult time getting budget money for security controls during times of economic health, but in a downturn that puts financial pressure in some industry sectors, security budgets can literally dry up. This may be especially true in organizations that were releasing funds for spending on security controls based upon qualitative justification.

If you’re in this situation, maybe it’s time to switch to a risk-based model for making decisions on where to best spend money on security.

This approach requires that an organization adopt a risk management and risk analysis methodology that is used to perform a detailed risk analysis for any given situation. A risk analysis methodology will enable a security manager to precisely identify threats, vulnerabilities, and risks in specific situations or settings, which can lead to a clearer understanding of specific risks and what can be done to reduce those risks.

In the end, it’s middle or senior management’s job to make spending decisions. As risk managers, we can help decision-makes to make more informed decisions based upon identified risks and potential remedies to those risks.

If a decision-maker still says “no”, do not consider this a failure. It is a risk manager’s job to help management make informed decisions. As long as the risk manager provides the facts, including the alternatives in a risk situation, then the risk manager has done his or her job. It is the decision maker’s job to make risk decisions. Whether we agree with those decisions may be the basis for much professional discussion – if it’s not our decision, it’s not our decision.

The consolation for the risk manager is that risk-based spending at least puts money where it’s needed the most.

Sources for information on risk analysis and risk management:

NIST 800-30, Risk Management Guide for Information Technology Systems

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)

FRAP (Facilitated Risk Analysis Process)