Comparing Your Security Budget, Or, The Lemming Aproach to Management

Filed by JonesJ | 8 comments


  • Hey everyone. I’d like you to welcome Jack Jones to the weblog. I’m getting him his own account, but in the meantime, enjoy his excellent article on IRM budgeting.

    Just the other day I was asked again what percentage of my employer’s IT budget went toward security. My answer (as it’s always been) was, “Why should I care?” As usual, the response I received ran along the lines of, “Well if you don’t know, how can you determine whether your organization is spending enough on security?”

    In exchanges like this, I’m often asked to explain myself. What self-respecting CISO doesn’t benchmark him/herself against their peers? Don’t get me wrong, I completely understand the desire to check yourself against your peers, and in some circumstances it’s worthwhile. But I don’t believe there’s much value in budget comparisons for our profession today, and those comparisons may actually work against me as I try to help my employer manage its information-related risk.

    TO WHAT BENEFIT?

    What practical benefit is there to comparing my spend against the industry? If my numbers are lower than average, am I going to be able to use that to garner more support? Not in my experience. If I haven’t effectively made my case already for the various security initiatives on my radar, the simple fact that my employer isn’t spending an average amount isn’t likely to pull a lot of weight.

    On the other hand, if our numbers are about average, then I may very well be at a disadvantage in requesting additional funding for things that really do need attention. Likewise, if our numbers are high, then there’s a very good chance I’ll need to tighten the belt. Now, if the industry numbers were truly meaningful (more on this in a minute) then positive or negative budgetary adjustments on my part might be appropriate. But the numbers aren’t meaningful and so comparison stands a better chance of hindering my ability to be effective than it does of aiding me.

    Many of the security people I talk to will argue that their organization doesn’t spend enough on security. If a significant number of companies are “under spending” (according to their CISO), then setting an industry baseline based on averages derived from “under-spending companies” further erodes the usefulness of the metric.
    Does leadership care about how much it’s spending on security? Sure it does, but only within the context of whether it’s the “right” amount (as differs from “the same amount as everyone else”). More on this later…

    WHAT’S INCLUDED IN THE NUMBERS?

    As I’ve engaged in surveys and discussions with peers regarding security spend, I’ve seen a high degree of variability between organizations and what they consider “security spend”. The simple fact is that organizational structures vary widely (and tend to change often in many companies) and, as with any comparative metric, if we can’t normalize the data then the conclusions and resulting decisions are likely to be flawed.

    WHERE ARE WE IN THE CURVE?

    By this I mean the “maturity curve”. In other words, is our security program just starting out, is it well established, or is it somewhere in-between? Keep in mind that the amount and nature of spending on security varies throughout the life-cycle of a security program. Therefore, it isn’t useful to compare organizations that are at different points on the curve. Sure, an argument can be made that by averaging we compensate for these differences, but it still leaves me unable to make a meaningful comparison regarding what my organization spends given its point on the curve.

    IT’S NOT JUST HOW MUCH WE SPEND, IT’S HOW WELL WE SPEND IT

    One of my objectives as a CISO is to provide some competitive advantage to my employer by trying to achieve equivalent (or better) risk management at less cost than our competition. Now, I don’t know specifically what the competition is spending (but I do know the supposed “average”!), nor do I necessarily know what they’re spending it on (although I can guess with some degree of confidence because of the focus on “best practices” that seems common — more on this in a minute). But I do know that if my target is simply to spend the same amount as everyone else, then I’m not focused on the right thing and I’m not being a responsible steward of my budget.

    LEMMINGS

    If I use as a target the “average” security spend in the industry, then I am, by implication, assuming that the average company is doing a good job in how it manages information risk.

    This is really a topic for another blog post, so I won’t dive deeply here. Briefly, I believe our industry is still far too dependent on the shamanistic principles of:

    • FUD — scare the non-believers into following our advice. “The thunder-gods will get you.”/”The hackers will get you.” — not much difference there.
    • Best practices — “The tribe down the river does it this way, grandpa did it this way, so we have to do it this way.” Some best practices are badly dated, others reek of vendor agenda, so there’s no guarantee that best practice is the right solution for our particular risk issues and corporate risk tolerance. Perhaps worse, blind adherence to best practices violates our responsibility as stewards of our budget to look for cost-effective solutions.
    • Gut instinct of the practitioner — Don’t get me wrong, many security practitioners have developed outstanding instincts. Furthermore, good instincts are a critical component of dealing effectively with almost any aspect of life. The problem is that without applying a dose of critical thinking and analysis to the complex problems we face, we’re — a) too vulnerable to personal bias, industry myth, and dogma, and b) unable to effectively defend our conclusions and recommendations to our stakeholders.

    TOLERANCE

    Perhaps the most significant concern I have about budget benchmarking is that it implies there’s some universally accepted “appropriate amount” of spend. Hogwash. Think about it this way — how much automobile insurance** do you carry? Is it above or below average? Would you change it if you knew it was above or below average? Some people might, but I select my coverage based on my income, savings, expenses, risk, and risk tolerance. This coverage is the “right” amount for me given these variables.

    The fact is, every organization has different resources, expenses, risk levels, and risk tolerances from every other, and it’s a fallacy to believe one-size-fits-all. The good news is that our organization’s leaders know what their resources and overall expenses are, and they have an innate sense of what their risk tolerance is (because they’re making risk decisions every day). I believe the challenge has been that we haven’t been doing a great job of providing leadership with useful risk information. Until we can do that, the question of how much we’re spending on security seems almost moot.

    IF NOT BENCHMARKING, THEN WHAT?

    The bottom line is that the “right amount” of security spend is unique to each organization. Furthermore, executive management’s opinion is the only one that ought to matter regarding what that amount is. They are the ones who have a clear understanding of the company’s condition, objectives, resources, competing risk issues, and risk tolerance. It’s their job to manage the overall business risk portfolio. Our job is to help them make well-informed decisions regarding our piece of that puzzle by providing a clear, unbiased, and useful picture of their information-related risk and risk mitigation options. Until/unless we do that, then any argument regarding appropriate security spend isn’t terribly useful.

    ** I know that some people in our profession get up in arms about any comparison to insurance, but this analogy was the one risk management example that almost everyone can personally relate to.

    Posted on June 26

    • 8 comments

    1. rybolov Jun 26

      Interesting in that yesterday I did an analysis of the Charbo (DHS CIO) Testimony in front of the House Committee on Homeland Security. One of the points that was brought up was a “security spending as a percentage of IT spending” metric and why it was so low for DHS.

      Anyway, check it out:
      http://www.guerilla-ciso.com/archives/175

    2. Alex Jun 26

      You know, with all the bureaucracy involved, it’s amazing that he can get anything done at all.

      I don’t see his testimony as a personal failure, as much as I see it being symptomatic of our lack of maturity.

    3. LonerVamp Jun 26

      We both build gaming machines for our home PC gaming desires. You spent a ton on yours from Alienware, but I built mine for far cheaper using pretty much the same parts. Of course, I put a lot more intangible effort into mine. Which runs better? Well, that’s debatable, and likely depends on which game we’re both running. In fact, you like FPS games and I prefer MMO/RTS games, which makes our actual performance far different, and our needs are far different. I don’t necessarily need raw FPS/twitch…and so on. Even in small microcosms like that, trying to compare one variable like cost in order to extrapolate an overall “better/worse” measurement is pretty futile. This may work when comparing a Wal-Mart PC against an Alienware, but really any metric is obvious there.

      Excellent post, and welcome!

      Maybe you’re planning this for future posts, but do you use other metrics? Do you ever get exec pushback about not using that % of budget comparison, a sort of “but the Joneses are doing…” mindset? Personally, I like the whole gut instinct part you speak of above. “Mr. CISO, this is your job and we trust your ability. How do *you feel* about our position and spending?” Then again, while misguided metrics may be a sign of an immature industry, perhaps relying on gut feelings is as well. Perhaps the only metric is the ultimate goal of our industry: # of incidents along with cost of those incidents…i.e. is the business still healthy with risk managed?

    4. shrdlu Jun 26

      Jack, wonderful post, thank you.

      I would tend to agree with all of it except for the nitpick that for auto insurance, some states have a mandated minimum level of coverage, so if you translate that to “compliance spending” you’re still within the bounds of the analogy. :-)

      I think the reason executives want to know what their peers are spending is that in the absence of a solid understanding of their own risk, they will assume that any comparable organization shares a “generic” risk level and is therefore probably going to be using the same management strategy. Do all online gourmet delis have an identifiable (if nebulous) common starting level of risk, if they have very similar business functions and asset values?

      Big “ifs,” I know. But they’re probably hoping to have a starting point from which to customize their own risk landscape (”Sure, they’ve got the same customer base, but we have Super ISO, and they have Captain Nimrod at the helm. Besides, we have our own personal security SWAT team and they just have a firewall and two cans of Silly String”).

      All the points of distinction that you make are very valid; I especially like the one about the maturity curve (by the way, what does that look like and what are the identifiable points along it?).

      I can talk a lot about my current and past spending and identify places in which I expect the spending to increase or decrease over the next few years, and why. (At some point you would hope you’d stop having to clean up so much stuff and get more into maintenance mode. You’d HOPE.)

      But I still either need to address my boss’s hidden assumption by giving him a full description of our risk as WE identify it, or explain to him why he can’t assume that a similar organization has anything close to a similar risk profile. I’m not sure I can do the latter yet.

    5. Jack Jun 27

      Thanks, all, for your kind comments.

      LonerVamp - I like your gaming analogy. I definitely plan on additional posts, and metrics will be an important focus. As for CIO pushback; I haven’t had pushback on the spend issue, but certainly they’re interested in knowing what the competition is doing. I always provide as much information as I have on “common practice”, but I provide what I believe are more cost-effective alternatives (and the analysis that explains why) whenever they exist.

      The faith in my “gut instinct” has varied from employer to employer, and appears to be driven by culture. One organization was highly analytical and had no faith in anyone’s instinct, while another was very inclined to accept subject matter expert guidance.

      Shrdlu - Love the Silly String example! Yeah, the whole “compliance spending” thing has to be kept in mind because of the common misperception that if you aren’t spending as much you aren’t doing as much. Drives me nuts.

      I agree about leadership’s tendency to gravitate toward the average in the absence of better information. The whole focus of FAIR is to be able to provide better information, and I believe we’ve made excellent progress. There’s lots more to do/learn of course, but it’s a good start.

      As for a description of the curve, there’ll be more on that in another post.

    1. Appropriate funding | RiskAnalys.is
    2. Models Matter | RiskAnalys.is
    3. Models Matter | Portable Digital Video Recorder

    Leave a reply