Awhile back, Dan Geer posed the following questions
How secure am I? Am I better than this time last year? Am I spending the right amount of $$? How do I compare to my peers? What risk transfer options do I have?
Dan asserted, and I agree, that these are perfectly reasonable for senior management to ask, virtually any part of a business can provide some enlightenment on them, and the exception is infosec which has virtually no way to answer any of these today.
So anyway, following up on Mike Rothman's tip on surviving budget season, let's drill down on the question - Am I spending the right amount of $? And examine for the $ I have am I spending it on the right things?
Let's assume you have fictional infosec budget of $100, where should you focus your spend? One good thing about budget numbers is that they are generally readily available. This is an exercise I have done for a number of clients, it can be done by an outside consultant even in a very large organization in about two weeks, an employee who knows where to look can probably get it done in half that.
One thing I learned from Pete Lindstrom is that an asset can be valued as being worth "no less than what you pay to develop, own, and operate it." Hopefully it is worth more (if you like profits) but it is worth at least what you paid for it. This is the floor.
Now to apply the budget to layers that are useful to security, we will break up the overall IT budget into Network spend (what do you spend to operate your network), Host spend (sys admin, OS, licenses, and so on), Application spend (What do you spend on app dev, app servers, and so on), and Data spend (DBAs, database licenses and so on). Let's assume ABC Ice Cream Co spends the following
Network 2,000,000 Host 8,000,000 Applications 32,000,000 Data 12,000,000
It sure looks to me like the business values - apps, data, hosts, and network - in that order. Again these are big numbers, but big companies are good at some things - one of these things is assigning spend and cost centers, so for decision support purposes you can find "good enough" numbers in a relatively short amount of time. Now let's look at the same categories for IT security spend - network security (firewall, IDS, and so on), host security (VM, hardening, and so on), app security (static analysis, SDLC, web services security, and so on), and data security (xml security, data encryption, backups, and so on)
IT Security Budget
Network 750,000 Host 400,000 Applications 250,000 Data 100,000
It looks to me like IT security thinks the most important areas are - network, host, apps, and data. We can compare these two budget priorities thusly
Now there are a couple of possible takeaways here. One is that the People's Republic of IT Security is just waaaayyyy smarter than the business folks, if we just gave IT Security control over all business strategy the stock price would go right to $120. Another view is that IT Security is completely out of alignment with how and where the business invests its dollars. Run the numbers using the above breakdowns on your organizations and see what you come up with. These are fictional, but I bet the priorities are pretty similar in your shop.
Now I am not in any way suggesting that IT Security just parrot back and copy the budget percentage spends, but what I am saying is that 1) there should be some alignment of priorities and 2) the alignment should be the starting point of IT Security investment instead of "hey we have all these network security licenses/people/devices". The starting point is aligning security investment with the business and assets, not investing in network security because that was a good idea in 1997 and hey that's how we've always done it - doing so is pure budget cruft.
So if we rebalance the IT Security spend we can arrive at something that reflects IT Security's competencies and aligns better with what the business values.
Obviously taking into account the business' priorities adds additional constraints, but delivering in the face of constraints is what separates engineers from apes.
Update: Mark Curphey takes a look at the budget issue from another perspective.
Update 2: Interview on out of control IT Security budgets