tag:blogger.com,1999:blog-7209707563895430269.post3637649830864844110..comments2023-07-06T22:44:46.777+12:00Comments on Security Metametrics: SMotW #11: Security budgetGaryhttp://www.blogger.com/profile/03271148849000325301noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-7209707563895430269.post-53107455845551638082012-07-04T03:57:30.018+12:002012-07-04T03:57:30.018+12:00Actually, I have been doing quite a bit of work i...Actually, I have been doing quite a bit of work in this area and you are correct that Industry Trends in spend such as collected by Gartner Reports are helpful but not a fair or complete story.<br /><br />The fairest budget metrics that I have seen so far are more in line with Activity Based Costing metrics. These describe the same activity across firms but account for the types and level of such activities inside each firm. <br /><br />Yet, as the to question of what spending should be there are several non-linear factors involved. The first two can easily fit into a fixed and variable cost model. What is the absolute floor level of information security that my paying customers must have? What is the level of security that attracts my paying customers to buy my product? <br /><br />Put cleanly in an ACME Corp example, what part of my security budget is part of the Cost of Goods Sold? What part is of that cost will convince the Legal Authorities that ACME uses due care in protecting its customers? What part of that cost makes my customer 10% more likely to buy my product than my competitor? <br /><br />InfoSec is not simply a Bottom Line cost avoidance strategy. It is also a top line market share gaining activity.Anonymousnoreply@blogger.com