Security budgets are often based on combination of last year's spending, this year's threat du jour(s), and "best" practices, i.e. what everyone else is doing. None of these help to address the main goal of information security which is to protect the assets of the business. The normal security budgeting process results in overspending (as a percentage) on network security, because that's how the budget grew organically starting from the 90s.
A simple three step process to achieving a Security Budget that maps to business reality rather than security silver bullet fantasies is as follows:
Step 1. Gather the relevant data for where the enterprise is investing its dollars in IT. Let's assume our company is Jones Widgets.
Step 2. Apply a "flat tax" for security budgeting, for this example let's say 7%, so if Jones Widgets invests $5M in its Customer relationship systems, $2M in Order Management, and $1M in ERP, this is the starting point for assigning priorities on security budgets. This is the part that security people miss, you don't need to do asset valuation - there is a whole group of people in the business that have already done that for you. Your job is to enable the intent that they have already clearly communicated in budget decisions.
So applying the flat tax, our Jones Widget's budget look like this
| IT System | IT Budget | Initial InfoSec Budget |
| Customer Systems | $5M | $350k |
| Order management | $2M | $140k |
| ERP | $1M | $70k |
Notice that the starting point in this step is aligning the budget with overall Enterprise IT spending. Its not based on whatever area that infosec happened to invest in last year, or what someone at a conference said, its about starting by aligning with what your business values. Its not about security foo-fa-ra, its about Jones Widgets.
Step 3. Efficacy. Let's assume that the Customer Management and ERP systems are behemoth packages that are purchased third party apps, and the Order management system is built in house so you have the source code. The way that you choose to deliver security to third party purchased systems versus the ones where you design, build, and deploy the code will vary. So the next step after initially rationalizing the budget is to assess what's the most effective security I can get for each area.
Its not that the business budget should trump the infosec budget, but its a very useful starting point. Moving off of those priorities should require a statement of efficacy that some security dollars are better spent in say the Order Management system, because the company controls the code. So if Jones Widgets' Order Management system is built in house, and the business relies on that to process orders, if that Order Management asset is compromised then its not like Jones Widgets can go and buy another Order system off the shelf from a vendor. Its their core business, their DNA.
So let's assume that Jones Widgets wants to scan its code, invest time in threat modeling and so on for its core business asset. This results in pulling 20% in from the ERP and Customer systems
| IT System | IT Budget | Updated InfoSec Budget |
| Customer Systems | $5M | $280k |
| Order management | $2M | $224k |
| ERP | $1M | $56k |
There's no need to get wrapped around the axle on asset valuation, the business gives you a starting point, use it. Then only move away from that when you can make a concrete case on improving efficacy by altering priorities. Or put another way - its your job. Do it.
Just saw this from a securosis pointer. I don't want to sound too critical but have you actually done this? Following IT spend will miss business objectives, other risk drivers, and areas you need to improve. Applying a % without evidence or strategy diminishes credibility and allows unqualified folks to argue what they think the % should be. Associating optimal security to % of budget is a well understood fallacy e.g. at RSA I recall Andrew saying Forrester researched this also.
I've done the following to much success:
- understand biz drivers (IT may be a subset) and investment to support
- collect evidence to identify unacceptable risk areas, map to biz drivers and estimate investment
- conduct a quick zero-based budget exercise with your team for existing services.
Then compare the above with the top down number. The delta is then justified and debated in terms of desired business outcomes.
This approach takes more time upfront but reduces subjective debate and speeds up decisions.
Hope you don't mind the counterpoint.
Posted by: Jared | March 19, 2010 at 04:16 PM
A "flat tax" is simple, but is it efficient? Some services/applications will be more expensive to secure effectively than others. Some will face greater security risks: for instance, a service that is connected to the Internet is probably at greater risk than one that is only available on the intranet; a service that handles money (e.g., e-banking or payment) may be at greater risk than one that does not. Does it make more sense to direct one's spending on security towards where it will make the biggest difference?
Posted by: AnonCorrespondent | March 22, 2010 at 09:10 PM
Simple but excellent approach. Since, You have made it easier for us to make "suggestions",How about letting each functional head quantify the impact of critical information loss in their respective areas. Tax 7% on that and you will have a decent budget. Now one can complain either.
Posted by: Sanjeev Walia | March 23, 2010 at 01:03 PM