Why invest in cyber security?
I’ve been wanting to write this article for last two weeks, but the timing today is no better in the wake of recent global ransomware attack Wannacry and the need towards a scientific security budget management aligned to the business goals and objectives.
A material possession with a price tag are easy to value, however valuing data is arduous. Cash, jewelry, car and other tangible goods have a price and based on the value one can choose controls to put in place.
For instance an apartment can choose to put in CCTV, digital lockers, safety doors based on the valuables present inside the apartment. A jewelry establishment may further put dedicated 24/7 manned security guards, biometrics, steel reinforced walls and so on. So the security control put in place is positively correlated with the value it protects.
Unlike tangible material possessions, to put a dollar value on intangible assets and related security controls to protect such assets is contentious. Information is one such asset and corporations wrestles around to find an optimum balance between adequate spend on controls in relation to earned revenue, net profits or total IT budget.
Recently, while presenting our CEO additional investments to strengthen security he mentioned the teeth to tail ratio used in military and whether or not we invest heavily on tail. The answer to this question can be answered by assessing two things.
First, an Organization must assess the value of the data its customers entrust them upon and secondly percentage of spend in relation to revenues the Organization generates by processing this data.
To arrive at existing spend it is necessary to make a list of expenses both capex and opex incurred on security controls. This list may include costs incurred on CCTV cameras, BMS, access controls, firewalls, IPS/IDS, PIM, DDOS, DLP, Anti-virus, Log management and vulnerability management, manned guards and so on.
However, as indicated earlier valuing information and data is intricate and even though a speculative value can be arrived it will guide management to a close estimate of the budget required.
An independent research by SANS indicated that in 2016 Organization’s security budget ranged between 7% to 9% of total IT budget. Financial services spending the most of it between 10%-12%. As a CISO it is imperative that one arrives at the cost incurred and determine if the same is adequately budgeted and utilized. Security spends must be aligned in relation with Organization’s data it processes for its customer’s, business objectives and mission.