Awhile back, Dan Geer posed the following questions
How secure am I? Am I better than this time last year? Am I spending the right amount of $$? How do I compare to my peers? What risk transfer options do I have?
Dan asserted, and I agree, that these are perfectly reasonable for senior management to ask, virtually any part of a business can provide some enlightenment on them, and the exception is infosec which has virtually no way to answer any of these today.
So anyway, following up on Mike Rothman's tip on surviving budget season, let's drill down on the question - Am I spending the right amount of $? And examine for the $ I have am I spending it on the right things?
Let's assume you have fictional infosec budget of $100, where should you focus your spend? One good thing about budget numbers is that they are generally readily available. This is an exercise I have done for a number of clients, it can be done by an outside consultant even in a very large organization in about two weeks, an employee who knows where to look can probably get it done in half that.
One thing I learned from Pete Lindstrom is that an asset can be valued as being worth "no less than what you pay to develop, own, and operate it." Hopefully it is worth more (if you like profits) but it is worth at least what you paid for it. This is the floor.
Now to apply the budget to layers that are useful to security, we will break up the overall IT budget into Network spend (what do you spend to operate your network), Host spend (sys admin, OS, licenses, and so on), Application spend (What do you spend on app dev, app servers, and so on), and Data spend (DBAs, database licenses and so on). Let's assume ABC Ice Cream Co spends the following
IT BudgetNetwork 2,000,000 Host 8,000,000 Applications 32,000,000 Data 12,000,000
It sure looks to me like the business values - apps, data, hosts, and network - in that order. Again these are big numbers, but big companies are good at some things - one of these things is assigning spend and cost centers, so for decision support purposes you can find "good enough" numbers in a relatively short amount of time. Now let's look at the same categories for IT security spend - network security (firewall, IDS, and so on), host security (VM, hardening, and so on), app security (static analysis, SDLC, web services security, and so on), and data security (xml security, data encryption, backups, and so on)
IT Security BudgetNetwork 750,000 Host 400,000 Applications 250,000 Data 100,000
It looks to me like IT security thinks the most important areas are - network, host, apps, and data. We can compare these two budget priorities thusly
Now there are a couple of possible takeaways here. One is that the People's Republic of IT Security is just waaaayyyy smarter than the business folks, if we just gave IT Security control over all business strategy the stock price would go right to $120. Another view is that IT Security is completely out of alignment with how and where the business invests its dollars. Run the numbers using the above breakdowns on your organizations and see what you come up with. These are fictional, but I bet the priorities are pretty similar in your shop.
Now I am not in any way suggesting that IT Security just parrot back and copy the budget percentage spends, but what I am saying is that 1) there should be some alignment of priorities and 2) the alignment should be the starting point of IT Security investment instead of "hey we have all these network security licenses/people/devices". The starting point is aligning security investment with the business and assets, not investing in network security because that was a good idea in 1997 and hey that's how we've always done it - doing so is pure budget cruft.
So if we rebalance the IT Security spend we can arrive at something that reflects IT Security's competencies and aligns better with what the business values.
Obviously taking into account the business' priorities adds additional constraints, but delivering in the face of constraints is what separates engineers from apes.
Update: Mark Curphey takes a look at the budget issue from another perspective.
Update 2: Interview on out of control IT Security budgets
Interesting! Can you elaborate a little more on how you propose to rebalance the IT security spend?
Posted by: Kees Leune | October 04, 2007 at 01:57 AM
Kees - I don't have a generic plan for how to rebalance the spend, my main goal is to get a sane starting point based on business and asset instead of "this is how we have always done it.: Rebalancing depends on a number factors and constraints - what security services are you set up to deliver, where and how is the most cost effective way to deliver the security services, and so on. So my main goal is not that I have the perfect rebalanced view for everyone, but rather that you should start by taking an objective view.
Posted by: Gunnar | October 04, 2007 at 08:03 AM
Wouldn't it make more sense to value an asset at what you can resell it for?
A lot of applications are licensed per user (see MSFT Windows and Office, for example), so they have a disproportionate effect on the costing, but not on the value they deliver.
The data is the most valuable bit (even if you spend less on it). The applications are your biggest cost, but not your biggest value. Applications are also your biggest vulnerabilities.
The network offers a chokepoint for traffic, and is a good opportunity to control traffic. Hence, spending money on the network based control is actually cheaper per node than host based control.
The correct solution, as always is to run audited code which has been well tested for security issues.
Posted by: Devdas | October 05, 2007 at 07:05 AM
Devdas - The budget numbers described to value the asset are the starting point to generate the floor value - the minimum number. I have also used revenue generation by asset to generate the ceiling. This can be interesting to compare, but you generally need to do it on an app by app basis - how much revenue do leveraged assets like a network provide?
To your second point, I think there are many cases where network security can be among the most cost effective solutions, but this is not generally the way the case is made. I am just trying to move thinking in this direction, instead of assuming that future investment priorities in infosec will blindly follow the past.
Posted by: Gunnar | October 05, 2007 at 08:14 AM
Hmmm, I would really like to look at it as "What happens to your company if this data is made public before you want it to, or it gets destroyed"?
If you find yourself going out of compliance with your application licensing , the cost of coming back into compliance is fairly low. OTOH, if your customer data gets public, that's a lot of damage.
What I am trying to say is that cost and value are not the same. Data has a disproportionately higher value to it's cost. Applications have lower value than data (but you can't negotiate costs always, especially with closed data storage formats).
I agree that security investment priorities need to change, but not because of the costing involved.
I prefer to think of security systems as bandages. Securing the network gives a lot of bandaging for the least cost. Securing the application is corrective surgery, expensive but the only fix.
Posted by: Devdas Bhagat | October 19, 2007 at 05:42 AM