Ugh! Is that your security budget? *Sucks teeth and shakes head* Organisations spend an average of 5.6 per cent of their overall IT budget on IT security and risk management, according to analyst Gartner. IT security spending ranges from approximately 1 per cent to 13 per cent of the IT budget. Gartner warns that simply looking at the size of security spending - even in comparison to other …
The lowest-spending organisations fall into two divergent camps: Unsecure organisations that underspend, and secure organisations that have implemented best practices for IT operations and security that reduce the overall IT complexity.
And to get from the former to the latter the amount of effort that must go into persuading Exec and Finance is...
It's not the spending, it's the use of products and diligence that should be evaluated.
Got a expensive firewall, fine. How well is it configured? has it been pen tested? or updated..
Got a security tech(s), how fast do they respond, immediately, somewhere within 4 hours? (to late)
Are the employees treated well enough to take pride in their work or are they so beaten down that they function just enough to not get fired?
1) don't write an article which references a report where you have to pay out almost $200 to read.
2) find someone who is known. Perhaps a well published individual so you have more than one piece of reference to use.
3) What he stated is DUH. Nothing new or impressive.
4) Spending depends on more variables than can be put into this article. Many MORE. Again, what is stated isn't new or impressive.
5) What does he mean by "misuse IT security spending"? What an idiotic statement. This alone should let you know he's someone who will be disregarded by the InfoSec community.
6) I assure you, most organizations know their security budget. I assure you it's all based on risk and accepting the fact nothing is totally secure. It comes down to whether an organization can afford something vs the risk. Not a difficult subject to work.
Some organizations accept more risk than others. Some organizations can accept a huge amount of risk, others cannot accept much at all. This largely depends on the type of industry IT is supporting.
In short... making the statement on what percentage of the IT budget should be spent on InfoSec is moronic. Putting together a sound risk management strategy to allow a business/organization to still make money is where this article should focus... not some stupid range of numbers.
Disagree on 1 because the article might save someone $200. Don't care about 2, one person is ok as long as it is understood it is an opinion. agree with 3&4 which are pretty much the one point anyway. 5, Seriously? thats your take? I couldn't disagree more with you than on 6. 20 years of consulting at companies large and small has shown me that executive management has no clue what the numbers really mean, what their actual risk really is or what is actually being done with the money to reduce risk.
6) I assure you, most organizations know their security budget. I assure you it's all based on risk and accepting the fact nothing is totally secure. It comes down to whether an organization can afford something vs the risk. Not a difficult subject to work.
I assure you that you're mistaken - very badly mistaken - on this point, at least. If you've never seen a multinational enterprise turning over billions of USD with security architecture written on the back of a beer mat, you've not worked in enough organisations (or you've only worked in ones that hired your consulting firm employer, or similar sample-skewing mechanism.) There is an ocean of terrible, terrible security out there. I assure you.
One problem with the "analysis" is different organizations will place the same activity in different budgets. Unless, one digs very deeply into the numbers and knows what to look for the top line number may not include some security done elsewhere and include activities that not security related but got put there.
A company who employs a very clued-up I.T. person might have excellent security for an outlay of under £100K p.a, while another company might have terrible security after spunking £millions on a rip-off consultants, a team of "experts" and the latest shinies from Cisco. Security is more down to configuration than equipment.
In almost all things there is only a very loose correlation between cost and effectiveness.
All that the suits need is support for the claim that they are "Taking cyber [security] seriously.". The amount spent and the trend in that amount sound very detailed and very objective without having to leave the world of pounds and pence. If they have benchmarked their spending against industry norms they'll get extra points for thoroughness even if the outcome of the benchmarking isn't talked about.
This is part, a depressingly effective part, of managing the only aspect of risk that the stratospherically high-ups care care about - reputational risk.
The question of whether corporate or personal reputation is more seriously considered is left as an exercise for the commentariat.
"management" and "the business" are always whining about needing metrics about the RoI from the infosec budget. Posit: a more useful metric would be "how mature is our security setup?" and that a useful and interesting number would be the ratio of expenditure on people to expenditure on the latest, greatest security snake oil. The more spent on people, the better. Good security people only need a Linux box, maybe with a few Windows VMs in a lab environment for testing purposes, smart cooperative colleagues in dev, ops and management, and a stack of Free software. (OK you might want commercial AV, if you disregard the TavisO attitude that it does more harm than good, and some of the fancy UTM / ng firewalls have their merits; but 98% of commercial security products are bullshit.
Many organizations view security as a cost and therefore to be minimized wherever possible. The other problem is it is considered to be something associated with the admin infrastructure and therefore subject to even more pressure to minimize overheads. I don't see this changing anytime soon, even in industries that are responsible for critical national infrastructures. Recent highly publicized DDoS attacks coming from mundane devices such as home webcams have brought welcome attention to the problems. But in my experience, corporate memory is short lived and we will be back to business as usual (minimizing the cost of security) in no time at all. I wish I had an answer to corporate blindness on the imperative to treat security as a high value corporate capability, but it eludes me.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
