« On the Risk of Overfocusing on Seductive Details | Main | Minnesota ISSA Talk »



Just saw this from a securosis pointer. I don't want to sound too critical but have you actually done this? Following IT spend will miss business objectives, other risk drivers, and areas you need to improve. Applying a % without evidence or strategy diminishes credibility and allows unqualified folks to argue what they think the % should be. Associating optimal security to % of budget is a well understood fallacy e.g. at RSA I recall Andrew saying Forrester researched this also.
I've done the following to much success:
- understand biz drivers (IT may be a subset) and investment to support
- collect evidence to identify unacceptable risk areas, map to biz drivers and estimate investment
- conduct a quick zero-based budget exercise with your team for existing services.
Then compare the above with the top down number. The delta is then justified and debated in terms of desired business outcomes.
This approach takes more time upfront but reduces subjective debate and speeds up decisions.
Hope you don't mind the counterpoint.


A "flat tax" is simple, but is it efficient? Some services/applications will be more expensive to secure effectively than others. Some will face greater security risks: for instance, a service that is connected to the Internet is probably at greater risk than one that is only available on the intranet; a service that handles money (e.g., e-banking or payment) may be at greater risk than one that does not. Does it make more sense to direct one's spending on security towards where it will make the biggest difference?

Sanjeev Walia

Simple but excellent approach. Since, You have made it easier for us to make "suggestions",How about letting each functional head quantify the impact of critical information loss in their respective areas. Tax 7% on that and you will have a decent budget. Now one can complain either.

The comments to this entry are closed.