By VMware Director, Information Security Strategy, Craig Savage, and VMware Senior Program Manager, Eddie Eriksson
This is the sixth in a blog series on Beyond Zero Trust
When an organization decides to fund a Beyond Zero Trust (BZT) program that money may come from multiple buckets. That’s why it’s important to have a variety of financial controls in place prior to moving forward.
First, establish one source of funding in finance. Our teams initially had three separate organizational program sponsors (funders) in the CIO, CSO (security), and VMware Engineering Services (VES) offices, and that created more delays and frustration than anticipated.
Once a budget is established, put spend codes in place to monitor outflows, even the smallest amounts. Similarly, ensure all the spend is tracked, including contractor time sheets, vendor costs (including license renewals), and associated financial expenditures. As a bonus, teams can realize significant savings by partnering with procurement who often have staff that are skilled at negotiating deeper vendor discounts.
Naturally, it’s important to keep leadership apprised of spend status. BZT is a new way of thinking about enterprise cybersecurity, and transparency on all levels is crucial to its ongoing success. And that can result in a variety of pushback, especially since there are territorial tendencies even in the finance function. Business units (BUs) want to protect their own budgets, and this presents a cultural challenge. They want to keep what budgets they can while not spending for spending’s sake. Some corporate cultures game the system by either claiming budget needs when they’re not sure about them (in case they need the funds later), or by spending dollars on solutions that they haven’t thoroughly analyzed to ensure that what they’re procuring will actually meet requirements.
Your organization may also have a use-it-or-lose-it policy, so if you’re spending less than what’s budgeted the success of the program could be jeopardized. Rather than lose those funds, it’s vital that project teams work with their finance analyst to either retain the budget allocated to them or to make appropriate monthly/quarterly updates so that original asks can be validated and, if needed, funds can be re-allocated.
Goes with the territory (or not)
How do you eliminate territorial disputes and pushback in general?
Assemble stakeholders up front and establish one budget—such as our internal One VMware—and decide what is best overall for the company, not a particular BU. This requires close working relationships with individual BUs in order to ensure clarity and a seamless process, especially around issues such as what is a one-time ask versus a run-rate ask, budget retention year-over-year, and advance notification (monthly/quarterly) if funds need to be re-allocated.
It is also vital to incorporate an influential executive sponsor who can guarantee and ‘maintain’ one budget. This results in less friction between BUs, fewer rushed decisions about purchasing, and tighter control over spending.
Want to know more? Give us a call
Introducing a new security program from scratch is a significant undertaking. That’s why we encourage you to contact your account team to schedule a briefing with us. No sales pitch, no marketing. Just straightforward peer conversations revolving around your company’s unique requirements.
For more background on Zero Trust, check out these blogs on the topic.
VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. To learn more about how VMware IT uses VMware products and technology to solve critical challenges, visit our microsite, read our blogs and IT Performance Annual Report and follow us on Twitter, YouTube and SoundCloud. All VMware trademarks and registered marks (including logos and icons) referenced in the document remain the property of VMware.