Friday, July 21, 2006

Budget Allocation Myopia and Prioritizing Your Expenditures

Top management's empowerment - the dream of every CSO, or IT manager responsible for allocating the infosec budget, and requesting future increases. The biggest downsize of your current or future empowerment, is how easy it is to get lost in a budget allocating myopia compared to actual prioritizing of your expenditures. According to Gartner, security is all about percentage of budget allocation :

"Organizations that have reached a high level of IT security practice maturity can safely reduce spending to between 3% and 4% of the IT budget by 2008, according to research firm Gartner Inc. By contrast, organizations that are inefficient or have historically under invested in security may spend upwards of 8% of their IT budget on security. This means that many organizations will still be investing aggressively for the next few years. Rich Mogull, research vice president and conference chair of the Gartner IT Security Summit which starts in Sydney Tuesday, said that there are now solutions to most information security problems. It's just a matter of implementing the technology efficiently and effectively so resources can be focused on new threats," Mogull said. While information security has become a highly specialized branch of IT, commodity security functions are often being returned to IT operations. Organizations that are still impacted by everyday, routine threats must ramp up and become more mature in their approach."

I find this a wrong emphasis on higher spending as the corner stone of "better security", and even if it is so, who's your benchmark at the bottom line? In a previous in-depth post on Valuing Security and Prioritizing Your Expenditures, I discussed the currently hard to implement ROSI model, and pointed out the following key points on data security breaches and security investments :

- on the majority of occasions companies are taking an outdated approach towards security, that is still living in the perimeter based security solutions world

- companies and data brokers/aggregators are often reluctant to report security breaches evenwhen they have the legal obligation to due to the fact that, either the breach still hasn't been detected, or the lack of awareness on what is a breach worth reporting

- the flawed approaches towards quantifying the costs related to Cybercrime are resulting in overhyped statements in direct contradiction with security spending

- companies still believe in the myth that spending more on security, means better security, but that's not always the case

- given the flood of marketing and the never ending "media echo" effect, decision makers often find themselves living with current trends, not with the emerging ones, which is what they should pay attention to

There's also a rather simplistic explanation on the effect of industry convergence :

"Mogull also said that functional convergence in security products is occurring. For example, host firewalls, antivirus, antispam, and basic host intrusion prevention are combining into single, desktop agents. In the future, this will make security less complex, he said."

Wish the analyst has reached the potential TCO increase and the beneficial diversification of appliances/products trade-off concept stage, one that naturally depends on the perspective of course. Meanwhile, here's an article on how NOT to "sell security" to your CEO, they tend to understand the basics of ROI, it's just the RO(S)I they want to scientifically apply -- compliance is perhaps your best friend these days. It's not about the percentage of spending, but on what you're actually spending for, and when.

Go through a previous post on information security market trends to consider, and try to stay on the top of security, not in line with it.

No comments:

Post a Comment