How much IT security budget is adequate?

IT security departments and business risk officers need to be more closely aligned, says Julie Ferreira, senior account executive at RSA.

---

IT security is top of mind for both technology and business execs today. How do they assess risk and decide how much to spend on security? What prevents or delays investment in IT security and what drives it?

A recent survey, run by ITWeb in partnership with EMC, looked at these issues, as well as businesses' medium-term investment priorities in IT security, and what companies want from their security tech vendors and partners.

Commenting on the survey results, Julie Ferreira, senior account executive at RSA, the security division of EMC Southern Africa, notes the key concept here is risk. "Almost all well-run businesses will be aware of the concept of risk and how it relates to the business, as chief risk officers will have a duty to report to shareholders and governing bodies on risks and how they are being mitigated."

She says IT security departments and business risk officers need to be more closely aligned. "Typically, to quantify a risk, we look at the severity the risk would have to the business, multiply that by the exposure to this risk and then the probability of the risk materialising. This is difficult, as the variables in the equation are in a constant state of flux, as new threats and vulnerabilities are continually being found."

Security departments need to prioritise their efforts by identifying which IT assets are critical to the business and then ensure adequate budget is focused on these assets. "To cater for the unknown variable, there needs to be a shift in the budget mindset from focusing on purely preventative security controls, to being able to detect and respond to security incidents that might materialise through the unknown variable introduced by vulnerabilities and exploits."

In addition, she says security departments need to fully grasp the exposure or attack surface faced by critical systems and then ensure the probability is minimised - for instance, ensuring access to sensitive data is controlled by a principle of least privilege, and that the authentication process can't be bypassed by only relying on username and passwords. "A regular review process must also be performed by business line owners and not be the sole responsibility of IT to review who has access to resources, who has accessed what resources and to ensure against non-repudiation."

Determining exactly how much budget should be adequate will always remain more of an art than a science, says Ferreira.

However, by mapping out the relationship between IT assets and critical business processes, security departments can estimate the impact of a security incident on any of the IT assets and how this will relate to business process.

"Once the impact has been determined, the department can look at what security controls are required to meet the balance between mitigating the risk, the cost of the control, as well as the cost for any capabilities required to detect when these controls have failed, and the ability to mitigate the damage as a result of a security control being breached."

The survey revealed a third of the respondents (32%) said a mere 2% of their IT budget is invested in security, and that although everyone knows security is a 'must have', it remains a grudge purchase.

"How much is enough is a difficult question. The actual budget for IT security will vary depending on the nature of the business and the impact a security breach or incident may have to that organisation. Government defence, financial, healthcare and similar types of businesses with highly sensitive and valuable data will typically have a higher security spend.

The survey also posed the question, that while compliance is an important element that drives investment in security, what other factors should be taken into consideration when making investments of this nature.

"Compliance typically drives a large amount of security spend mainly due to there being a direct impact to the business if it fails to meet a compliance requirement such as fines or public embarrassment," she explains.

"Compliance is also primarily aimed at a minimum set of controls that need to be in place to mitigate security risks. These controls should be seen as a baseline, not a benchmark for good security practice. Currently organisations spend around 85% of their IT security budget on preventative-based controls with little focus on detecting incidents and responding to incidents. Gartner states by 2020, 60% of an IT security budget spend will be on detecting and responding to incidents ? up from 10% today. Organisations need to start adopting this change now as security breaches are an almost weekly occurrence in even the largest enterprises with huge budgets.

"What's interesting is the amount of IT budget that goes into meeting compliance requirements rather than addressing security concerns where the by-product of improved security would be compliance and not the other way round. Security comes back to three core areas: people, processes and technology."

A quarter of respondents said uncertainty around ROI is one of the reasons investment in IT security is delayed or prevented.

According to Ferreira, to demonstrate ROI on an IT security spend requires that all known security incidents faced by the organisation are well documented.

"These security incidents can then be traced back, to a certain degree, as to whether it was a security control that failed or it was a known risk where the preference for 'ease of use' or employee flexibility was the preference over a tightened security control.

"Incidents should also be linked back to the business impact and the potential impact should the security incident remain undetected for a further amount of time, as well as the cost of any clean-up. Where security controls prove effective or ineffective should also be clearly documented and used when negotiating renewals and allocating further budget spends."

Although nearly half of respondents (49%) are doubtful there are sufficient policies in place to adopt cloud services in a secure way, there are steps to ensure proper policies are implemented.

One of the key concerns with adopting cloud services is around the lack of control and the lack of visibility into what exactly is happening within that cloud environment since it is no longer contained within the physical boundaries of that organisation, Ferreira explains. "Most companies are, however, probably already using some sort of cloud service whether it is by outsourcing their payroll or hosting the customer relationship database in the cloud so it is available to mobile workers."

The ability of the business to compete and keep pace with competitors will require it to make use of the flexibility and elasticity cloud services provide.

"One simply needs to look at how Netflix has wiped out the video rental business in the US with a service that runs off Amazon's Web service to understand the impact potentially faced by not embracing the capability cloud computing can provide ? whether it is a private or public cloud or a combination of private and public cloud."

Visibility is the foundation for security in this new generation of cloud and mobile computing, concludes Ferreira. "Visibility needs to cover every aspect such as who can access and what type access to each platform component, operating systems, databases, applications and the actual data in the cloud ? where it resides and where it moves to. Monitor what is happening within these components from an infrastructure, application and a network level to then apply analytic capabilities to detect anomalies and then respond accordingly."