« Trust rears its head | Main | What is it you would say that you do here? »


Jarrod Loidl

Great post.

This approach works well when dealing with project-centric focused organisations where if you get in early enough you can add your quote to the project quote and obtain funding based on an initial scoping. Doubly so if you're using a (recognisable) security architecture framework to maximise control effectiveness and re-use.

I have worked in organisations like this. What I haven't seen is how you would leverage this approach across the entire enterprise and not just a project silo.

Too many organisations can get funding at the project level but not at the enterprise level.

Some "best practise" sources site that IT Security teams should get 10% of the IT budget but that just sounds a bit arbitrary to me. Clearly they should get SOMETHING - what and how much however is the point of debate.

How would you recommend dealing with this challenge (that is, moving to an enterprise view from a project view)? Do you push to get an annual budget, or do you just persist with project based funding?

This is a bit off the track of application security but clearly related all the same.


- Jarrod

The comments to this entry are closed.