How Audits Can Increase Infosec Budgets

Exposing Vulnerabilities Helps Justify Need for More Money

By , October 19, 2011.
How Audits Can Increase Infosec Budgets
Read Transcript

Mike Brown and Amry Junaideen see audits as great tools to promote heftier IT security budgets, substantiating where dollars should be spent to safeguard an organization's information systems and assets.Brown and Junaideen, senior manager and federal cybersecurity leader, respectively, at Deloitte and Touche's federal technology practice, say in an interview with Information Security Media Group's (select one of the Podcast Options at right to listen), audits can help persuade those who dispense funds to increase spending on IT security.

A former chief information security officer at the Federal Aviation Administration, Brown says he used audits from the inspector general and Government Accountability Office, independent assessments of where the FAA stood, to justify additional funding.

"We were really successful in using that kind of an approach to be able to increase funding not only to take care of our high vulnerability systems but also to start getting funding to address the moderate-level vulnerabilities," Brown says. "Even though they would find weaknesses in the program, for me it was a real benefit because I could take those independent assessments and reports, which then filtered up to OMB ... those things really helped to put in a budget justification requesting additional dollars."

Junaideen says the value of audits is that they make people - those controlling the purse strings - to take notice. "People pay attention to (an audit) like people pay attention to scorecards. So, if you're appearing as an organization that basically has reds and yellows all over, it can actually help it with budget justifications."

In the interview about IT security budgeting in tough, economic times, Brown and Judaideen emphasize:

  • Tying increased funding to the success of the organization's mission by reducing risk.
  • Educating non-IT managers and executives about IT security by explaining in business terms how the lack of increased IT security could adversely affect the business.
  • Not leaving anything to chance by creating an information risk management framework that shows the need for security to promote the organization's objectives.

Before his stint at the FAA, Brown served as the chief information officer at the Army National Guard. A retired Army colonel, he served as the director of the Army's information assurance office and oversaw the vulnerability analysis of all weapons systems that supported the service's first digitized force.

Amry has more than 20 years of experience serving a wide variety of multi-national clients and leading global teams on many risk management and information technology related projects. He has been a principal at Deloitte and Touche for more than a decade.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE NIST Revises Guide on Security Controls

New NIST guidance is designed to help organizations assess proper security controls, especially...

Latest Tweets and Mentions

ARTICLE NIST Revises Guide on Security Controls

New NIST guidance is designed to help organizations assess proper security controls, especially...

The ISMG Network