Subscribe

Ensuring justifiable spend on IT security

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 12 Dec 2016

ITWeb Security Summit 2017

Registration is already open for the 2017 Security Summit: six international plenary speakers, #SS17HACK launch, four training courses to choose from, and much more. For the complete agenda, click here.

Too often businesses rely upon the perception that security expenditure is equal to the adequacy of the countermeasure. In addition, they believe the efficacy of its implementation, usage and monitoring, is an indication of the extent to which this expenditure mitigates against identified security risks.

So says Maiendra Moodley, divisional head (GM): financial systems and processes at the State Information Technology Agency. The result is, that despite spending more, there is no guarantee that what is being implemented reduces the organisation's risk profile, or that the necessary security lifecycle elements are managed, monitored and that earned value management is applied to this expenditure, he adds.

Ultimately, being able to ensure that this expenditure is spent on sustainably making the business more secure promotes confidence in what the CISO is doing and contributes to minimising the perception that this expenditure would be better spent elsewhere by the business, he explains.

Moodley will be presenting at the ITWeb Security Summit 2017, to be held from 15 to 19 May at Vodaworld in Midrand. "My presentation aims to separate the hype from the reality associated with managing the need to ensure justifiable expenditure on security which improves the organisation's security posture, against other competing investments which the business needs to make that may have a clearer and realisable bottom line contribution."

Speaking of what businesses should be doing better in this area, Moodley says they need to be able to manage the identification to quantification of the security risks which they face both in the environments in which they operate, and which are intrinsically intertwined with their business processes.

Maiendra Moodley, divisional head (GM): financial systems and processes at the State Information Technology Agency.
Maiendra Moodley, divisional head (GM): financial systems and processes at the State Information Technology Agency.

"In the absence of adopting this approach and using earned value management principles, it is very difficult for a business to know if what it is spending is making any difference to the security risks which it has to successfully face. Businesses should be focusing on ensuring that the way in which they approach address their security expenditure is based on the combination of a risk profile which is underpinned by the application of sound investment principles as opposed to focusing on security expenditure as being purely a cost-to-features-based trade off."

In terms of whether today's security budgets are adequate, he says the challenge is not necessarily the adequacy of the security budget which varies across businesses and risk profiles, but rather whether the business understands what it is that they are getting for their spend and the extent to which this is being properly communicated and socialised.

"Often, the reason behind why security budgets are considered inadequate is because this symptomatically indicates that there is a failure to express, articulate and quantify why the security is expenditure is necessary as opposed to just another additional expense which the business is questioning the merits of."

Share