According to recent research, less than 40% of survey respondents believe their organizations effectively base...
their security expenditures on applicable risks. My question is this: how much security spending should be based on risk, and how does an organization go about realigning its spending if needed?
One of the major differences between an attacker and a corporate defender of information security is the way they allocate resources. An attacker isn't limited by the need to propose expenditures that may take place a year into the future. They can wait to find a particular vulnerability and then dynamically allocate resources for exploitation. The corporate defender is confined to developing predictive annual budgets that get distorted by other political agendas not usually focused on risk. This lack of risk-based spending is reflected in the 2014 US State of Cybercrime Survey, which leads to the conclusion that "spending with a misaligned strategy isn't smart."
There are several underlying causes of a misaligned strategy that need to be addressed. The most frequent cause that I have observed is a lack of separation between IT and IT security. The security team in this scenario will propose budgets to address risks to the environment that get overridden by IT management, which has its own agenda. Budgetary items that don't necessarily address security risks then take priority as IT management uses security hype to get them approved. An organization that wants to realign its security strategy based on risk will need to segregate the IT and IT security budgets and enforce separation of duties.
Another factor contributing to the lack of risk-based spending is untrained information security team members. Many companies have promoted IT technicians into available IT security positions without any additional training. The IT technicians may have been great network engineers, but they do not necessarily understand the concepts of risk and information security strategy. They will stay in their comfort zone and budget based on their previous technical competencies, or follow the lead of IT management. An organization that wants to realign its security strategy based on risk will provide the necessary training for these IT technicians or hire security professionals from outside of the organization.
I would recommend that approximately 75% of the IT security budget be based on risks to the organization and leave the remaining 25% for unforeseen changes in the threat environment. The CISO should be revisiting these risks at least quarterly and making necessary adjustments to the strategy throughout the year. This requires a strong understanding of organizational risks that can only be developed through the discipline of monitoring and logging.
An organization that wants to realign its security strategy with risks must address several issues. The first is to segregate the budgets and control between IT and IT security by enforcing a segregation of duties. The second is to train existing IT technicians or hire new security professionals from outside of the organization. This will start the organization down the path to effectively building a strategy where 75% of the budget will be based on organizational risk.
Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
A look at the top priorities of enterprises information security spending in 2014
Dig Deeper on Information security program management
Related Q&A from Joseph Granneman
The consequences of phishing attacks could fall on the victims as enterprises start to punish employees who fall for this age-old scam. Expert Joseph... Continue Reading
CERT's ITPM certification is designed to help enterprises with their insider threat programs. Expert Joseph Granneman discusses the certification and... Continue Reading
Privileged users pose a growing threat to organizations. Expert Joseph Granneman looks at this insider threat and shares ways to mitigate it. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.