- When making the case for the security budget, it is critical to find metrics that succinctly describe the value of information security and do so in business terms.
- One of the most common methods is benchmarking against peers, although obtaining such information is not easy.
The perennial problem of how to obtain the funding necessary to keep critical enterprise assets secure is a frequent subject whenever IT security executives get together. Judging by a few surveys conducted over the last year, it appears for the most part that security budgets are increasing. A PricewaterhouseCoopers Global Information Security Survey published late in 2013 found a 51% increase in the size of security budgets over the previous year among the 9,600 executives it surveyed. The average budget was $4.3 million – almost double the average reported in the same survey for 2010.
For InfoSec executives, finding the most compelling metrics possible to communicate the value of IT security to the C-suite and board of directors is extremely difficult. At the CISO Forum in London earlier this month, a couple of panelists talked about new tactics they have employed in pitching their budget requests, including using professional graphic designers to help them get their metrics across more effectively. Given that security execs are competing with other talented groups within the enterprise to expand their slice of the budget pie, those panelists found that it is critical to quickly make whatever metrics you’re using understood. Another panelist also reported that their security group invested in building communications skills among members of the security team and found some success. In addition, it is critical to choose metrics carefully, given the limited amount of space in a report to the board afforded to security. Said one panelist, “You have to get the board to understand what’s overkill and what’s right for the business. A metric is only useful if the context is understood.”
So, what measurements are most effective in communicating with the board and C-suite? One CISO Forum panelist summed up five of the most common measurements: color schemes (red, yellow, green) indicating how secure the enterprise is, using big breach headlines to indicate the threat severity, rollups (i.e., the previous year’s spend), compliance and benchmarking against peers. The latter in fact is probably the most common, judging by the results of another CISO survey conducted last fall by Wisegate. A clear majority of the CISOs – 66% — said they based their assessment of optimum funding on peer data. The downside to that approach is that getting access to such data is extremely difficult. Most organizations are reluctant to share that information. Moreover, although general benchmark stats are available, security spending can vary by vertical market, regulatory compliance, revenue and size of the company. Banking and financial services are likely to be higher than the average, while government may be lower. Such information is typically passed along by word of mouth as security professionals move from one job to the next. However, such benchmarks can be useful in the event of a breach. As one CISO Forum panelist summed it up: “If you can prove to investors or regulators you were doing better than average, you’ll be fine in event of a breach.”