Security Budget Benchmarks: Inside the Sausage Factory

Information security is often called a “grudge spend.” CEOs are reluctant to spill hard-earned ducats on security because it’s not seen as a value-added expenditure. Yet CSOs fret that they’re not spending enough to secure the enterprise—and nobody knows what “enough” really means, anyway.

So a typical strategy in the security budget-setting process is to eyeball your neighbors’ plans to see how much they’re spending. Just to make sure you’re in the right ballpark.

So you want numbers? We got numbers. Gleaned from a security spending survey of 276 CIOs and IT executives, these figures line up pretty well with conventional wisdom. Consultant Karen Avery of Booz, Allen & Hamilton advises security spending should constitute between 5 percent and 8 percent of the IT budget, and our respondents clocked in at an average of 7.2 percent.

But use these numbers at your own peril because CSOs say rough benchmarks of this sort offer a very false sense of, well, security.

There are two reasons for that. First, survey numbers suffer from the sausage effect: You just don’t know what’s in there. Companies vary greatly in what they include in the security budget proper. How do you account for IT staff whose duties include security along with other tasks? What about e-mail training for new employees? Your company may have a clear sense of how to answer those questions, but it’s unlikely to match the policies of a majority of respondents in any given survey. Andy Reeder, CSO of Central DuPage Health, says that in some organizations even basic security items like firewalls and antivirus aren’t part of the security budget. “The security office may help manage those things, but they’re budgeted and implemented through the IT operational arm,” he says. “It’s a judgment call.”

Many organizations, in fact, don’t even craft a separate security budget. Steve Akridge had one of the more frustrating setups as CISO of the Georgia Technology Authority (GTA): The state senate approved a specific allocation for information security, but the money was then rolled into the GTA’s IS budget. “I had to lobby the CIO to get access to money that had already been approved by the state,” he says.

Another problem is that, unless you’re looking at an incredibly detailed survey of best practices companies, you don’t know how effectively, or appropriately, the respondents are spending their cash. “I read somewhere that the average infosecurity spending this year was 12 percent of the IT budget. But it’s all so highly dependent on what you’re doing as a company,” Akridge says. He describes a formal sequence for building an appropriate information security plan and says many companies fail to follow the necessary steps.

Akridge’s process starts with high-level questions about what data is most important to your company, what regulations affect your company’s security policies, which architecture will provide the right level of security for the right data and so forth. Some organizations may be throwing a fair amount of money at shoring up their defensive perimeter, but technology decisions like that “should be way downstream,” Akridge says. If the company hasn’t answered the high-level questions, “it’s wasted money.” Case in point: A report by the White House Office of Management and Budget found no correlation between the amount of money a federal agency spent on security and its effectiveness.

So what’s the value of knowing “average” infosecurity spending? It may help a CSO defend his budget in a PowerPoint presentation, but for the purpose of figuring out whether security is appropriate, “I don’t think it’s of any value at all,” Akridge says. To set correct spending levels, CSOs must dig deeper and look harder at cost-justification techniques.