How to budget for security
Estimating your security costs can be difficult. No matter what you set aside, often it's insufficient. Here's how to plan more precisely.
In Summary:
| • | Align security budgets with business objectives. |
| • | Anticipate tripling your security costs for at least six months after a merger. |
| • | Consider strategic security tools rather than point solutions. |
PricewaterhouseCoopers (PwC) and CSO magazine have surveyed global companies about their security budgets since 2002, and for the five-year anniversary of the report, they cited some overall trends they'd noticed, including this one: "Company size does not affect spending. When the information security budget is measured as a percentage of the IT budget, it remains constant no matter how many employees a company has or what its revenues are. Size of company matters less in security spending than in industry."
 | If you have good security practices but they don't address business initiatives, you're in trouble. |  | | Mark Lobel
Partner,
PricewaterhouseCoopers | |
|
That's the wrong strategy altogether, according to Lobel and other experts. Although conventional wisdom puts security costs at equal to three to five percent of the total IT budget, that estimate is changing for a variety of reasons. For one, security is increasingly important to companies; for another, it takes more resources to manage threats today than just a few years ago. The cost of security is increasing faster than the average IT budget, and the cost of security personnel is increasing even faster. If this trend continues indefinitely, security could consume your entire IT budget.
Any midsize company that wants to grow, whether by increasing revenue or through acquisition, must think about security strategically and dynamically. A universal strategy for budgeting is futile. Instead, you must think carefully about what security tools you're buying, why you're buying them, and how that outlay aligns with your core business objectives.
The problem with budgeting
The fundamental problem with security budgeting, laments Lobel, is that there's no actuarial table for calculating risk. Jim Tiller, chief security officer for Santa Clara, California-based BT INS, a Microsoft Gold Certified Partner, concurs. "If you're constructing a building, there's information about fire prevention, locks, and other protection. It's historically accurate information with which you can make sound decisions," Tiller explains. But because companies haven't been dealing with IT security long, there is no statistically significant sample available to use to assess the cost of breaches or problems. Complicating the situation, your security budget must encompass technological solutions for both internal (whether accidental or intentional) and external threats. Worse, just because you double your investment in security doesn't mean you're twice as secure.
The key is a concept well known to IT, though perhaps not well practiced: alignment with business objectives. "If you're moving to wireless handhelds for insurance agents to improve their efficiency, is IT supporting that initiative from a security standpoint?" asks Lobel. "If you have good security practices but they don't address business initiatives, you're in trouble."
To start, avoid looking at security as a static variable. Instead, address security needs as you would other areas in your IT budget: Devote a certain percentage toward overall system maintenance, then budget for individual projects. In other words, align your security budget appropriately with the level of security each application needs. Rather than a percentage of the overall budget, use a percentage of each application's or project's budget to determine security costs.
Budget considerations during growth and acquisitions
When you begin to map out your security investments, think long term and comprehensive, versus purchasing point solutions. For instance, instead of an encryption tool that only targets e-mail or mobile devices, look for one that does both. That way, if you do target growth through the earlier example of giving handhelds to insurance salespeople, you already have a solution in place to cover that new business strategy.
The same is true when you acquire a company. An integrated access management system that manages digital identities and specifies how employees may access data resources should cover not only your applications but any applications that might come with an acquisition.
Even so, Tiller says there are specific budget calculations you can make on the cusp of a merger. "Mergers bring complexity and discontinuity, and that always introduces new security issues," he says. He advises companies to triple their current percentage of overall security spending for at least six months after a merger. "It's almost like dealing with an actual security event," says Tiller. "You face an increased expenditure over the short term, but your costs will normalize within 12 to 18 months."
 | Silicon Valley-based freelancer Howard Baldwin writes regularly for Microsoft. His work has also appeared on AllBusiness.com and in CIO.
|
