Comparison of Four Security Budget and Spending Strategy

1. Wait and see
Wait until a security incident occurs and then spend whatever amount is necessary to recover. For many businesses, this strategy of "wait and see" is not adopted consciously, but rather by default. Most security practitioners recoil at the very notion, because it suggests an implicit disregard of due care. But from an economic standpoint, it may be a rational strategy if the benefits of security technologies and processes are too difficult to measure. Some very advanced companies have consciously adopted what appears to be a similar approach, although they reach it through a very different route. These businesses have spent extensively on their security programs over several years. They have reached the point where they realize that spending funds on additional defensive measures will lead to only very small additional gains in security. These companies now focus their spending on their ability to recover from incidents, rather than trying to prevent them upfront. The number of businesses in this situation is probably a small fraction of all organizations. But there is an interesting similarity to how both ends of the spending spectrum focus on a reactive strategy, albeit for very different reasons.

2. Buy one of everything
This is the strategy of the completist, and it is more likely to be championed by a politician within the organization rather than a technologist. It creates lots of noise and visibility, which is often the intended result. In other words, the manager has lots of positive progress to report. Concrete systems installed, people trained, and lots of activity that management should know about, and, thus, positive exposure for the security manager and his budget. Unfortunately, this strategy is predicated on the assumption that buying and deploying a "complete" suite of security tools will actually deliver operational security. Given our observations about the commercial security industry in Chapter 2, this is likely to be one of the most inefficient spending strategies an organization could employ.

3. Setting spending levels.
This is probably the most widespread today, is to set the level of security spending according to external measures or according to the advice of third parties such as analysts or consultants. If a research firm like Gartner says that the average security budget is between 6% and 7% of the overall IT budget, many companies simply follow suit and commit to that number in their budget. For the same reason that "no one gets fired for buying IBM," spending decisions made on the basis of external "experts" are politically defensible. That strategy has its place. For example, ensuring that your spending covers an externally provided list such as COBIT or ISO 17799 may be a helpful part of a defense in a lawsuit. Thoughtful organizations recognize that they can be more efficient by determining their optimal level of security spending. The goal is to ensure that a balance is maintained between underspending and going too far past the point of diseconomy, where each additional dollar spent on security provides a progressively smaller benefit. Accomplishing this balance requires objective data about what security measures are effective based on real incidents. If such data was to become available, businesses would be able to use it to set spending levels much more efficiently than setting their level of spending on security at a certain percentage of IT budget simply because that's what everyone else does.

4. Prohect Valuation and Return of Investment
We now turn to traditional project valuation techniques as possible ways to determine how much to spend. One well-known technique is return on investment (ROI). It's easy to calculate ROI. It's the size of the investment divided by the gain. Unfortunately, the methodology has many failings when used to consider possible projects. For example, it doesn't incorporate the chance that a project might fail or the possible benefits of spending the money on something else. Net present value (NPV) and economic value added (EVA) are two techniques that are far more sophisticated and useful than ROI. Many security practitioners are happy to use ROI because it's easy to understand, but that doesn't mean it's right or even useful.

Generally a "return on investment" means how much money someone would make. Security practitioners typically turn this on its head and talk about the "return" from avoiding potential losses. They define the ROI of a security measure as the extent to which it can reduce losses. Those losses are typically calculated using annual loss expected (ALE), which is the probability of a loss event multiplied by the expected cost of the event. So, if a security incident would cost a business $1 million, and it has a probability of 0.4, the ALE would be $400,000. If the cost of the new security product that could stop that security incident is less than $400,000, the business "should" purchase it. This looks good on paper, but the approach doesn't stand much scrutiny. The problem today is that the probability of the loss event is very hard to predict, as is (to a lesser extent) the event's expected impact. This makes it hard to use ROI, NPV, or EVA for security.

Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Propeller
  • Reddit
  • Magnoliacom
  • Newsvine
  • Technorati

Trackback URL for this post:

http://www.securitycompliances.com/trackback/11

User login

Who's online

There are currently 0 users and 1 guest online.

Who's new

  • himoro1778
  • ur743v256
  • handbags1314
  • pkj8o6w74
  • l0w8y4x7b3