18 June 2012

SMotW #11: Security budget

Security Metric of the Week #11: Security budget as a proportion of IT budget or turnover

Given how often this metric is mentioned, it was quite a surprise to find that it scores a measly 16% on the PRAGMATIC scale. Why is that?  What's so dreadful about this particular metric?

Our prime concern stems from the validity of comparing the 'security budget' with either the 'IT budget' or 'turnover' (the quotes are justified because those are somewhat ambiguous terms that would probably have to be clarified if we were actually going to use this metric).  First of all, comparing anything to the IT budget implies that we are talking about IT or technical security, whereas professional practice has expanded into the broader church of information security.  Information security is important for anyone using and relying on information.  It could be argued that it is even more important outside of the IT department, in the rest of the business, than within it.  Likewise, comparing the [information] security budget against the organization's turnover may be essentially meaningless as there are lots of factors determining each aspect independently of the other. 

<Cut to the chase>  Answer us this: what proportion should we be aiming for?  In other words, what's our target or ideal proportion?  If you can explain, rationally, how to determine that value, you are doing better than us!

The metric may have some value in enabling us to compare the security budgets over successive years, across a number of different organizations, or between several different operating units within one group structure, provided we compare them on an equal footing.  If, for example, a whole bunch of engineering companies belonging to a large conglomerate reported about 10% for this metric (making that the norm i.e. an implied target), apart from one company that stuck out with say 20% or 5%, management might be prompted to dig deeper to understand what makes that one so markedly different from the rest.  It's a fair bet that pressure would be brought to bear on the outlier to bring itself into line with the rest - such is the nature of metrics.  But would that necessarily be appropriate?  Who is to say that the majority are budgeting appropriately for security whereas the odd-man-out has got it wrong?  It is certainly conceivable that in fact it is taking the lead on security, or that there are perfectly valid and appropriate reasons that make it unique.  Perhaps the way it calculates its budgets is different, or maybe it is at a different state of security maturity.  It could be recovering from a major security incident or noncompliance, or its management may have a substantially different risk appetite than the others in the group.

The point is that the metric could be distinctly misleading if considered in isolation.  Management might even be accused of being negligent if they were to act on it without a lot more information about the security and business situations that underpin it, in which case would we be any worse off if we didn't bother with it at all?


Single-digit scores for five of the nine PRAGMATIC criteria banish this candidate metric to the realm of soothsayers and astrologers in respect of Acme Enterprises Inc anyway.  Perhaps in your specific organizational context, this metric makes more sense, provides true value and justifies its slot on the security management dashboard - if so, we'd love to hear from you.  Feel free to comment below.   What are we missing here?  How do you make this one work?

1 comment:

  1. Actually, I have been doing quite a bit of work in this area and you are correct that Industry Trends in spend such as collected by Gartner Reports are helpful but not a fair or complete story.

    The fairest budget metrics that I have seen so far are more in line with Activity Based Costing metrics. These describe the same activity across firms but account for the types and level of such activities inside each firm.

    Yet, as the to question of what spending should be there are several non-linear factors involved. The first two can easily fit into a fixed and variable cost model. What is the absolute floor level of information security that my paying customers must have? What is the level of security that attracts my paying customers to buy my product?

    Put cleanly in an ACME Corp example, what part of my security budget is part of the Cost of Goods Sold? What part is of that cost will convince the Legal Authorities that ACME uses due care in protecting its customers? What part of that cost makes my customer 10% more likely to buy my product than my competitor?

    InfoSec is not simply a Bottom Line cost avoidance strategy. It is also a top line market share gaining activity.


Have your say!