How to budget for security

Contact Us Contact a Microsoft Representative Your satisfaction Matters!Let us know your thoughts about your Microsoft experience. Home Products Microsoft Dynamics Microsoft Dynamics AX Microsoft Dynamics CRM Microsoft Dynamics GP Microsoft Dynamics NAV Microsoft Dynamics SL Microsoft Office Microsoft Office Professional Plus 2007 Microsoft Office Enterprise 2007 Microsoft Office Small Business 2007 Microsoft Project Microsoft Visio Windows Phone Windows Server Windows Essential Business Server Windows Server 2008 Microsoft SQL 2008 Microsoft Exchange Server 2007 Microsoft Forefront Microsoft System Center Essentials 2007 Microsoft Exchange Hosted Services Microsoft Office PerformancePoint Server 2007 Windows 7 Windows 7 Professional Windows 7 Enterprise Windows Vista Online Services How to Buy How to Buy: Overview Licensing Licensing Options More On Licensing Financing Software Management Software Asset Management (SAM) Support Information for IT Professionals Learning and Training Tools Microsoft Support Services Self-support & Assisted Support Industries Overview Professional Services Financial Services Manufacturing Government Retail Resources Business Resource Center Member Services IT Managers Business Leaders Security Business Goals Security Develop Relationships Drive Innovation Improve Operations Build Connections Regional Sales Teams East Region West Region Central Region Events and Webcasts Newsletter Worldwide Related Links • Midsize Business Security • Security Risk Management Guide • Microsoft Identity and Access Management Series

Estimating your security costs can be difficult. No matter what you set aside, often it's insufficient. Here's how to plan more precisely.

In Summary:

When PricewaterhouseCoopers (PwC) and CSO magazine surveyed global companies about their security budgets last year, the news was troubling. Between 2005 and 2006, the cost of security as a percentage of the overall IT budget increased by anywhere from 10 to 30 percent for almost half of the respondents. The news was worse for midsize companies, says PwC partner Mark Lobel: "The increase is larger for smaller companies because while they're trying to keep IT spending down, they're still adding to the security budget."

"A lot of people believe that perfect security is a reachable goal. It's not, and that's what makes budgeting so difficult." Larry Ponemon President, Ponemon Institute

That's the wrong strategy altogether, according to Lobel and other experts. Although conventional wisdom pegs a security outlay equal to 3 to 5 percent of the total IT budget, that thinking is changing for a variety of reasons. For one, security is increasingly important to companies; for another, it takes more resources to manage threats today than just a few years ago. The cost of security is increasing faster than the average IT budget, and the cost of security personnel is increasing even faster. Follow this curve, and eventually all you're paying for is security.

Any midsize company that wants to grow, whether by increasing revenue or through acquisition, needs to think about security more strategically and more dynamically. A one-size-fits-all strategy for budgeting is futile. Instead, you must think carefully about what security tools you're buying, why you're buying them, and how that outlay aligns with your core business objectives.

The problem with budgeting

The fundamental problem with security budgeting, laments Lobel, is that there's no actuarial table for calculating risk. Jim Tiller, chief security officer for Santa Clara, California-based BT INS, a Microsoft Gold Certified Partner, concurs. "If you're constructing a building, there's information about fire prevention, locks, and other protection. It's historically accurate information with which you can make sound decisions," Tiller explains. But because companies haven’t been dealing with IT security long, there is no statistically significant sample available to discern what breaches or problems will cost. Complicating the situation, your security budget must encompass technological solutions for both internal (whether accidental or intentional) and external threats. Worse, just because you double your investment in security doesn't mean you're twice as secure.

The key is a concept well known to IT, though perhaps not well practiced: alignment with business objectives. "If you're moving to wireless handhelds for insurance agents to improve their efficiency, is IT supporting that initiative from a security standpoint?" asks Lobel. "If you have good security practices but they don't address business initiatives, you're in trouble."

Your goal should be to stop thinking about the security budget monolithically. "A lot of companies view security as a static variable," says Larry Ponemon, president of the Ponemon Institute, a security consulting firm in Traverse City, Michigan. "As the company evolves, new security requirements appear. But rather than treating security as the variable it is, they [act] as if it doesn't change."

Address security needs, then, as you would other areas in your IT budget: ascribe a certain percentage toward overall system maintenance, then budget for individual projects. In other words, align your security budget appropriately with the level of security each application needs. Don't use a percentage of the overall budget as your guide—use a percentage of each application's or project's budget.

Budget considerations during growth and acquisitions

Fundamental to the evolution Ponemon cites are growth and acquisition. When you begin to map out your security investments, think long term and comprehensive. "A lot of companies make the mistake of going after point solutions," says Ponemon. For instance, instead of an encryption tool that only targets e-mail or mobile devices, look for one that does both. That way, if you do target growth through the earlier example of giving handhelds to insurance salespeople, you already have a solution in place to cover that new business strategy.

The same is true when you acquire a company. An integrated access management system that manages digital identities and specifies how employees may access data resources should cover not only your applications but any applications that might come with an acquisition, Ponemon says.

Even so, Tiller says there are specific budget calculations you can make on the cusp of a merger. "Mergers bring complexity and discontinuity, and that always introduces new security issues," he says. He advises companies to triple their current percentage of overall security spending for at least six months after a merger. "It's almost like dealing with an actual security event," says Tiller. "You face an increased expenditure over the short term, but your costs will normalize within 12 to 18 months."

Stop searching for utopia

One final thought regarding budgeting for security: forget about perfection. "A lot of people believe that perfect security is a reachable goal," says Ponemon. "It's not, and that's what makes budgeting so difficult." Not only is it impossible to estimate the risk—back to the absence of an actuarial table again—but fallible humans can still unintentionally cause security problems. Then it becomes a psychology problem in which you must accept failure.

"You can't get an A, so are you willing to live with a B?" asks Ponemon. "We still want to get A's, but that would cost an excessive amount of money. You have to settle for getting a B, which means doing the best you can on a limited budget."

Silicon Valley-based freelancer Howard Baldwin writes regularly for the Microsoft Midsize Business Center. His work has also appeared on AllBusiness.com and in CIO.

Top of page