Video Screencast Help
Security Community Blog

Do you (still) need to justify your spending on IT security?

Created: 29 Mar 2013
Daniele Bertolotti's picture
+1 1 Vote
Login to vote

Having troubles justifying your IT Security spending? Here is a short list of useful resources and ideas that will help you explaining why you are buying that new IT security toy or requesting more resources to implement a missing security process. 
And please, share what you use and let’s make this list grow.


How much should I spend?


The guys at the IT Policy Compliance Group spend their time going around globally and interviewing companies trying to understand, among many others, a couple of things relevant to us:

·      The Financial Benefits of Spend on Security

·      How High Performance Organizations Manage IT

I’m beginning with their work because I think they use a pretty unique approach: they start looking at the most efficient companies, the so called top-performers from several industries, and they correlate business results with IT spending, both in security and IT governance (we should already know at this point how much the two are interlocked). So, we could say they don’t look at the ROI of buying an endpoint protection suite or an anti-spam solution (good luck with that!), but they evaluate the IT Security spending as a competitive advantage to reach the established business results of a company. And they try to answer the question: “How much should we spend?” according to their motto “You either pay beforehand or you pay afterward, but you’re going to pay”. Showing that it’s less costly to pay beforehand.

Surprise surprise, top-performing companies, with best financial returns, are those that invest the most in IT security. But it’s not just about financial returns: the report shows a direct connection between companies spending more in IT security and those with more retained customers, lower rates of business disruption, and lower rates of from data loss and theft. That is, better results against the commonly considered top IT Risks.

Check out their work at:

What happens when something goes wrong?

Ok I see, you are a down-to-earth guy and you need numbers and figures when something goes wrong. The Ponemon Institute has the kind of data you need. In their “Cost of Data Breach Study” they try to quantify, per geographical region and major countries, what is the real cost associated to a data breach.

The report divides the costs associated with a data breach to several factors:

·      Detection and escalation costs

·      Notification costs

·      Post data breach costs

·      Lost business costs

It’s interesting to notice how the different factors have a different weight according to the country where the data breach took place. That’s a useful hint to understand what are the most relevant cultural values, country per country, and adjust your processes to it. For example, European countries spend much more in detection and escalation compared to what they spend in notifications, whereas the opposite happens in the US where bigger attention is paid to customers and most of the States have data breach notification laws in place.

Clearly, the cost we should mostly fear is the one coming from lost business, which is higher where we face a more mature audience. If your customers are what determine the success of your company (and I challenge you to state otherwise), you should read in the report how companies around the world invest, after the breach, in preventive measures, and be a little more proactive than them (remember what we said above, before or later “you’re going to pay”).

Check out the latest Ponemon report.

What if I don’t do it?

Ok, I know, it may not as easy and ready to use as the ones above, but if you need to scare people inside your organization (or force them to listen to you), the good old regulatory requirements are always there to help you. You should be aware of all major regulations with some sort of IT requirements, and the implications of not being compliant.  
Looking forward, people in the EU should be the ones most concerned: the European Parliament is working on the next version of Data Protection regulation, that supposedly will bring back to Europe the leadership in protecting personal data. Concepts such as “Data Breach Notification”, “Accountability”, “Data portability” and the “Right to be forgotten”, will definitely require companies to approach Data Protection in a more cohesive way, implementing some sort of Compliance Program (something on the line of what we described here and here). If you add the fact that the fines for non-compliant organizations will be calculated in a percentage of the company’s total revenues, you see how this new regulation will have quite an impact.

On top of that, this new regulation is not afraid of digging into technology, introducing terms such as “Privacy Enhancing Technology”, “Privacy by Design” and “Privacy Seal”, to identify and mark those technologies and processes enabling Data Protection. There is still much work to do by the European Parliament in this direction, but be prepared to a groundbreaking piece of legislation. Here is the EU mini-site on the current proposal

What is best for me?

You have data and researches of all the sorts out there: you can prove the cost of a Data Breach or you can estimate what will happen if you are not compliant with a regulation, but can this really be applied to you?            
In the end, it’s all around the risk appetite of your organization. It’s a simple concept that belongs to the IT Risk Management literature: you face risks and each of these risks has its own likelihood to happen and a certain level of impact (possibly expressed in an economic measure). You will never be able to bring the risk down to zero, but what you can do is implementing a series of countermeasures (that is, spend on IT security) to bring it down to a level that you consider acceptable according to your risk appetite. The trade-off here is the cost of these countermeasures compared to their capability of reducing risk and it all goes down to a very simple equation: if the cost of a countermeasure is higher than its benefits in terms of risk reduction, then you are investing your money right. Otherwise, forget it.
Easy right? Not really…how do you identify a risk? How do you measure its likelihood and impact? How do you evaluate the risk reduction that a countermeasure delivers?

We will discuss about this (there are several methodologies out there). For the time being, just leverage the collection of resources provided above and their figures in the best possible way.

Blog Entry Filed Under: