The security industry is rapidly maturing. Previously, security spending was a fixed percentage of a company’s IT budget and regarded as an obligatory tax, a cost of doing business (also known as “covering your ass”). Nowadays, companies are working towards concrete security benchmarks, dictated by external regulations (compliance) or internal risk assessments. Here are some tips for keeping security top of the agenda at minimum cost to your company.1. Agree an end-goal for the security efforts
Define the end-state of security that the organisation is striving for. CIOs are fearful of security being a bottomless spending pit, so use external compliance (such as PCI), internal control frameworks or perform a risk assessment to define the desired “end-state”.2. Perform some benchmarking in your industry
Attend local peer networking meetings to compare notes with fellow CISOs. Use third-party studies on adoption rates of certain technologies. Nothing works better than the knowledge that 80 per cent of companies in your industry have installed or are considering a particular technology. 3. Make risk real with concrete examples
Risk is an abstract concept. If you think “we have a five per cent chance of ending up on the front-page of the Financial Times” (in a bad way), that is not as powerful as checking out an article written up on a competitor that suffered a security breach.
4. Measure progress and success
There is no widespread agreement on which security metrics to use, but some great work was done recently by the Center for Internet Security. They published the CIS Security Metrics Guide (v. 1.0.0) featuring some examples of recommended metrics. These include: mean-time to incident discovery, incident rate, mean-time to recovery, mean-time between security incidents. Take a look.
5. Transfer security spending to other budgets
If all else fails, transfer security spending to another budget. Security efforts like log management and security change management can be justified as productivity enhancement tools for the network operations or system administration group.
6. Take a platform approach
John Pescatore at Gartner said this at the recent Gartner IT Security summit: “Take a platform approach. By 2010, only ten per cent of emerging security threats will require the deployment of a tactical, best-of breed solution, compared with 80 per cent in 2005.”
Expanding and optimising an existing solution is often cheaper than deploying a brand new one. You can leverage much of your existing investments and training and integration costs will be lower. This is good news in a difficult economy.
Share this story