A view on security budgeting

There’s a lot of discussion out in the blogs about security budgeting. Mike Rothman compares security budgeting to “black magic”, while Gunnar Peterson discusses a more practical (for most) alignment of security budget with the IT budget.

I’m not sure that you could really prove that either approach is wrong or right. There are also lots of statistics to read about the percentage of the IT budget that is spent on security as if this is also a useful benchmark for us to gauge our own expentidure. John Pescatore, at the recent Gartner Security Summit, suggested “that the average organisation spends 5% of its IT budget on security” but that most have difficulty being able to justify why.

I usually talk about “cost effective controls” within my own organisation. This means implementing controls that meet the risks that are applicable to the business. If there is a high loss impact potential then the business must budget and spend accordingly. If there is low or no loss impact potential then spend less. The start point has to be a risk modelling exercise: identify the risks, evaluate the impacts.

The difficulty in applying ROI calculations to information security investment decisions is one cause of the difficulties we face in this area. I challenge you to prove on paper that the 20k you are about to spend on a new IPS device is really going to be worth the money in investment terms. What about if we consider the investment from another perspective and think about the attackers “return on attack.” In other words, is is worthwhile for somebody to attempt to breach your security. Will they achieve financial gain from doing so, and are they likely to be caught? In my opinion, if the answers to those two questions are “yes” and “No” then you must buy the controls. If not then question why you really need to have the control or spend so much.

An interesting exercise once you have completed the risk model is to compare your existing expenditure across each of the categories of risk. You might be surprised to find, as I was, that those categories with the potential highest loss impact are not always the ones attracting the highest expenditure: sometimes the exact reverse. Somewhat less surprising is that technical controls are the ones usually considered to be most important to implement whilst people and process based controls – security awareness and training in particular – attract least investment even though they can have a big impact on mitigating risk. For example – spending 20k on training developers might mean you don’t end up with vulnerabilities you’d otherwise need to spend 25k on for an application firewall (plus the FTE you’d need to manage it).

Bottom line in my book is that security priorities must shadow the business strategy. If you want to build a case for more money and controls then understand where your business wants to go.