What percentage of IT spending should be for security?

An interesting question was posed to the team I work with... What percentage of IT spending should be for security? The thoughts of some of my fellow workers immediately went to searching the Internet for statistics provided by other companies (like Gartner). This revealed numbers anywhere from 5% to 10%. I'm wondering if this is something that can easily be calculated as a percentage because I'd imagine that the security posture of a company would depend very much on what type of business they are in, what is considered worth protecting, and how large the user base is. For example, a bank would probably spend a lot more on IT Security than a large factory that makes toilet seats--even if they have the same number of employees. I think a lot would also depend upon the size of the user base. In a bank, perhaps 95% of their people access banking systems and they may have a large online presence, whereas, in the case of the toilet seat factory, maybe only 10% of their staff access systems and their website is hosted by a service provider. A bank is going to want to protect all of its data. The toilet seat factory would most likely be concerned about some financials and, perhaps, protecting its designs and customer information from competitors. In such cases, are you comparing "apples to apples" if you look at how much each company is spending on IT Security? Does anyone have any comments on "how much IT budget should go to Security"? Does anyone agree that this may not be something that should be measured and compared in percentages across varying organizations?

Thanks for any and all feedback!

 

Hi DavidGP. Thanks for the response! The bank and toilet seat factory examples were strictly hypothetical, to provide what I consider to be opposite ends of the business world spectrum. My context would be a healthcare related organization in the United States. We must abide by the guidelines set forth by the government in things like HIPPA and, in the case of some systems, PCI (for financial transactions). The question of "What percentage of IT spending should be for security?" is a question that was posed to my coworkers and me by our manager. Obtaining justification for staff and budget for the security team is frequently a hard sell to (upper) management. From an upper management or accounting perspective, I believe IT security is something that's viewed as "insurance" rather than something that provides any kind of "return on investment". It's the deep pit in every company that money is thrown into, with the hopes that nothing bad happens. Also, the many unknowns associated with changes in healthcare reform are causing many healthcare accounting departments to trim as much "unnecessary" spending as possible. (Incidentally, an equally valid question may be, "What percentage of IT staff should be for security?") Again, I don't know if either of these questions can have a strictly black and white answer. I'm looking for ideas on what things other companies take into consideration when building IT security into their yearly budget. I don't think it's as easy as saying, "This percentage of IT monies should be dedicated to security--nothing more and nothing less." How do other IT security professionals handle these conundrums within their own organizations when building budgets? I guess I'm really asking how other companies perform risk analysis and translate that into budget dollars.

 

The other aspect to security is accessibility, even if you spend a billion dollars securing your main frame all that money is wasted if people have to jump through hoops to access the information.

So there's also productivity to take into consideration the more complex the security system the less time people have to do their job, also the more complex the security system the more it will fail.

As a simple example if a paranoid local store owner paid for pentagon type security, 15 pin alpha numeric codes, chip and pin ID cards, retinal scan and fingerprint, encryption over network, storage encryption, Sandboxes. Could his business be functional or would he spend most of his time navigating the security system instead of price checking groceries? Something as simple as typing a password multiple times a day could noticeably lower productivity losing him customers so a balance has to be found.

I'm by no means an expert on security just chipping in my two cents.

 

The quantification of risk is the crux of the issue for Security and minimising those security risks and the risk appetite from business management drives the level of security required to achieve a compromise between minimising security risks and their costs. Thus costs and % expenditure on security is a function of minimising risks and their impacts together with risk appetite (i.e., gambling).

A means of risk assessment (ISO 27005) and standardisation of Information Security can be found in ISO 27000 series related to the Information Security Managament Standard: http://en.wikipedia.org/wiki/ISO/IEC_27000-series

As Rikky mentioned, the system usability needs to be taken into account in the compromise and this too has a standard (see ISO 9241: http://en.wikipedia.org/wiki/ISO_9241), which in turn is a part of an overall IT quality standard (ISO 9126 - now superseded by ISO 25000 series: http://en.wikipedia.org/wiki/ISO/IEC_9126) - this includes security as a part of the overall standard.

These standards are guidelines or checklists to assist in IT management rather than absolute

I would like to touch on one point made by DavidDP, in that "you will be asked why you needed to view such record", would mean that the system is staffed by people to police it and in turn they themselves would need to be policed (Quis custodiet ipsos custodes? and all that). This seems to suggest that there needs to be an army of security people comparable to the number of users of the system to verify and validate all the transactions. Clearly, this is impractical and a compromise to minimise the risks of less policing, low quality policing, etc. need to be taken into account, e.g., CRB (http://en.wikipedia.org/wiki/Criminal_Records_Bureau), staff security assessments - which again needs staff and associated costs, etc.

2 risks mentioned by DavidGP are Industrial Espionage and Divulging Personal Data.

Also, security is not limited to the products or assets produced or maintained by a company, security of HR systems, payroll and other internal systems is required as well as physical security (guards, locks, etc., i.e., security is not limited to IT Security) for the companies sites.

I don't feel that justice to the subject can be dealt with here by a simplicfication to a simple % costs since the whole subject of security (specifically IT security) is vast and many books are written. This is despite the CEO or business management typically wanting such a simplification.

---

DavidGP, isn't UK IT Heathcare outsourced and does this include the risk assessment of different cultures managing the IT? That is, the off-shore culture may not be necessarily have the same interests as the UK/US, respect of personal data or indeed have the same security mindset and legal system.

 

Thanks for the useful links, Maxwell.

...This is confirms what I was thinking. When management says, "How much should we spend on IT Security?", there really are no easy answers other than... "Well, how much do you have?"

Thanks for all the feedback!

 

There is no price you can place on security, due to it is more of education of the end users, and following policies by those who have access to the equipment. And of course never place all the eggs in one basket, and trust just one person with the access info to the equipment, have at least two maybe three people in IT that not one will have full access to everything, but all in the group should know the access info that the others have.

Security is an evolving process, that always changes, and again education by those that are the gatekeepers, to stay on top of what is coming down the pipe, or even what is going on now should be the top priority.

You will also find some end users within the organization that are good or better than the LAN coordinators that handle daily tasks, like password resets, fixing LAN problems, which those are also a good resource to listen to, in that they may have information that you may not be aware of, or also pay attention to what is going on in the IT world.

As for the costs, never give management a low ball figure, or even too high, but educate those who cut the check, that you cannot place a price on security, and also educate them on the policies that will keep the organization from getting in trouble, by using checks and balances.

I work for the State of Illinois, and every year we do a review of CompSec, and due to my unit handles medical info, we also have to review HIPAA.

Of course the one bad habit that our two main LAN coordinators have in my office, is leaving the door to the server room, that also has the PBX unit and T1 equipment, wide open when they are either in there, or not. Worse thing you can ever do, and needs to be drilled into those who handle the equipment, to always secure the door when they are in the equipment room, or when leaving, never leave wide open to any employee to gain access to.