In Depth

How you fund a CSO

By CSO Contributor

September 18, 2003 — CSO — There's a security professional out there who was formerly the CSO at an online trading firm and now is CSO for a security product vendor. Without the faintest hint of irony, he suggests that the average corporate security budget should be 4 percent to 10 percent of total revenue. He says he's now comfortable with executives laughing in his face.

Naive as it sounds, it points to a real disconnect between security executives and the rest of the board. Even as security gets more moneyan average 29 percent increase last yearthose in charge of security believe the budget increases are way too small, that a 77 percent increase is more justifiable.

And that's just the start of it. Although every trend indicates that physical and IT security will merge, a CSO survey shows that seven out of 10 companies haven't merged budgets for the two disciplines. Seasoned security professionals argue against IT security spending going under the purview of the IT department (because of conflict of interest), yet three-quarters of companies in the survey do just that, averaging 10 percent of their total IT budget devoted to security.

Security budgets overall are widely dispersed, according to the survey, with about a third falling under $100,000, a third between $100,000 and $1 million, and a third more than $1 million. Of course, it's hard to gauge if that's actually meaningful because some of those budgets will include all security expenditures, while others will omit certain items that, in the context of that particular company, fall elsewhere, like disaster recovery, loss prevention or audit functions.

And just to completely muck up the picture, a recent Office of Management and Budget study found, for federal agencies anyway, no correlation between an increased security budget and increased security effectiveness. All of which is to say, if you want a number for what makes a good security budget, we ain't got one. We're not even sure we can put you in a ballpark. If creating a security culture is like sawing through a piece of wood, budgeting is that knot that jams and bends your saw, and probably sprains your wrist.

So without hard facts to give you, we will resort to offering general truths about security budgeting. They are:

1. You need to increase your security budget. We can tell you that CSOs are understaffed and need more resourceshuman and financial. But the longer nothing bad happens, the more apathetic the CFOs and CEOs become about funding securitywhat CISO Bill Spernow of the Georgia Student Finance Commission calls security's "half-life." So don't become apathetic after six months of incident-free living, but also don't be afraid to demand some metrics to justify your continued empathy as well.