Information security is the stepchild in the family of Information Technology. Information Security saves, slaves and yet gets treated as the pariah, metaphorically speaking. That, to CISOs is at least not news. They are barely able to squeeze some dollars out of their CEO/CFO, even as CIOs (who could also end up becoming CEOs) get huge chunks. Let us put numbers to this qualitative step child treatment to get a quantitative idea of what we are talking about.
As per Gartner study, companies spend 5% of their IT budget on Information security. About 35% goes into staff, 25% into software and 20% into hardware, rest on outsourcing and consulting. Actually it could be worse than that. The global information security spending say for 2012 could be around, $60 bn and is projected to increase to $86 billion by 2016, according to Gartner - the same Gartner project Information Technology spending for 2012 to be around US $ 3600 billion. If you do some math, you would realize that information security spending is less than 2% of information technology spending.
Some would argue that this is not shocking. Perhaps Information Security is not that important. Too early said and too wrongly too. McAfee estimated cost of data breach to be around $1 trillion for recent year. Symantec estimated cost of IP data theft at around $250 bn, recently. Say, doubling information security spending could prevent that kind of data breaches, it is clear that information security spending has a huge Return on Investment, a return of around 20 times the investment.
ROI Return on Investment, but isnt that the Achilles Heel of Information Security. How do you measure return on investment on information security? Information technology managers have learnt the trick on how to get the dollars out of CFOs pockets; after all they do get more than $3000 billion. But information security heads have still to learn the ropes.
But it should not be so difficult for Information Security managers to get investment into Information Security. For several reasons information security spending is barely 2-5% of investment into information technology. So if Information security managers, play their cards well, and this is not a lesson in corporate politics, it should not be too difficult to get, incremental investment into Information security.
Secondly losses due to data breaches are of order of US $ 1 trillion. So say, we want to increase global information security spending from US $ 60 billion to $70 billion, that represents just 1% additional investment of the potential savings of $1 trillion, if theoretically possible.
Finally, almost 97% of data breaches are avoidable, as per studies by Verizon. So information security spending is not waste of money down the drain. It may not be just theoretically, but also practically possible to save trillion odd dollars, by spending a few billion dollars more on information security.
But all this is theoretical now to brass tacks. How does information security manager get top management to spend money on information security? How does the kid convince parents to spend money on candy?
Few tricks information security manager could explain the objectives of information security spending such as compliance with regulations, achieving competitive advantage, lowering expenses by reducing number of incidents and optimizing business expenses. Information security manager needs to also explain risks of investment.
It is important to explain how expenditure on information security has led to reduced number of incidences. Thus by piggybacking on past successes, information security manager can point to actual return on investment on security. For instance an information security manager, could explain, base line level of incidents and then show how expenditure on information security reduced the number of incidents and show calculations for return on security investments in past and justify investment in future.
It may be also useful for information security manager to spend money in right direction. For instance, data breaches do not necessarily happen due to technology or due to lack of technology; there is a significant human element involved. Hence it may good to invest in training and awareness to reduce incidents of security mishaps.
It may also be worthwhile to question areas of information security spending. Information security managers need to introspect if they are spending too much on infrastructure centric security as opposed to information centric security.
Putting all eggs in one basket is neither a good investment practice, nor is it a good security practice. It may be wise to diversify security investment heavily skewed as it traditionally has been towards infrastructure centric security towards a balance between information centric security and infrastructure centric security.
Information security managers would do well to explore investments in Data Loss Prevention, Document Management Systems and Information Rights Management to show case greater reduced incidences of security failures per unit of security investment.