A keynote panel session at InfoSecurity Europe has attempted to tackle the thorny issue of budget cuts on IT security spending. Cliff Saran reports.
Paul Simmonds (pictured), a board member, of the IT security group Jericho Forum, and former CISO of ICI and AstraZeneca, hosted a panel on the economics of security. Opening up the debate, Simmonds said, "In the late 80s, AV costs came out of my budget - it is part of the PC build. The challenge is how we communicate value of the disparate parts."
Simmonds explained how at a recent meeting of the IT directors' group Corporate IT Forum with, almost everyone who said they used intrusion detection systems admitted they had deployed the IDS on the external side of the firewall, which gave great statistics, which presumably justified the cost. He said, "This is actually a very unprofessional way to run security."
In answer to the question of how one could cut 30% of IT security spend, panel member, Matt Holland, head of information security, NSPCC, "In terms of CapEx we have moved a lot of our IT security into projected. If it were one year, I would cut down on improvement and focus on compliance."
Peter Gibbons, head of information security, Network Rail, said, "If it was Opex I would focus on business as usual - days to day activity - and cut out IT spend where possible. You are trying to quantify selling something that makes someone feel better. We cannot rely on fear. My aim is to get good quality information on how much we really spend on IT security."
Tom Whipp, head of security, govenance and IT compliance at financial services broker, The Oval Group, "There would really be two options - either cut people or managed services. The choice is about whether I'm being asked to lose 30% for one year, or 30% for five years."
If it was just for a year, Whipp said he could rationalise some of the managed services and be able to deliver an IT security service - albeit with less quality. Generally, the panellist felt a return on investment figure would be needed in order to discuss IT security spending cuts.
Whipp said, "There is no need to cost everything to the last penny, but if you can show how a particular incident was handled, then you put a cost on that incident.
"This cost can then be weighed against the security technology required to protect against the incident."