The Security Spending Mystery

I recently met with the CIO of a politely profitable biotech firm. His PR director sat across from him. It was like trying to talk about your bachelor party with your mother at the table. He was chary to say the least. But there was one telling moment when this CIO let his guard down. The conversation had turned to security spending. Suddenly, the CIO’s whole demeanor was made over. His shoulders went slack. He leaned in, interrupted a question and asked his own questions, rapid fire: “Do you know how much security spending is a good amount? Are there benchmarks? Do you have any numbers on what we should be doing?”

The CIO sounded eager like a thief about to stumble upon the combination to a vault he’d been casing for months, and trying to hurry it along before his unwitting accomplice figured out what was going on.

This was more than casual IT curiosity. This was Critical But Missing Business Knowledge.

Unfortunately, the answers to his three big questions were, “No idea,” “Not sure,” and “Not really.” Further investigation only deepened this mystery of how much is enough to spend on security.

It turns out, most of the security spending talk resides on the extremes.

On the one hand, there’s Joe Magee, former chief security officer at an online trading firm. With a face as straight as a pinstripe, he says, “I honestly believe four to 10 percent of revenues should be spent on security.” That’s four to 10 percent of total revenues, not the IT budget.

Magee says he’s gotten comfortable with the laughing in his face.

On the other hand, IT security consultant Brian Kelly said in an e-mail that some CIOs “don’t even see information security as a NORMAL (EVEN PRUDENT) BUSINESS EXPENSE” (his capital letters). In his experience, tech executives lowball security spending so severely that he’s mostly stopped selling services to CIOs and instead approaches the CFO.

But the fact we don’t know how much a company should be investing in its information security isn’t, by itself, all that interesting. Many nice-to-have nuggets of IT knowledge like this elude us. Besides, the answer is probably “It depends.”

Rather, the compelling mystery here is that we don’t even know what CIOs are spending on security in the first place, never mind if it’s too much or not enough.

If you think CIOs are guarded when they talk about security, imagine how they clam up when you’re talking about security and budgets at the same time. Indeed, I got the sense from the biotech CIO that he’s plain scared to say how much he’s spending on security because there’s a good chance his answer will meet one of two reactions: 1) His numbers are laughably excessive and he’s wasting money, or 2) His numbers are so woefully inadequate that his enterprise is a fat bull’s-eye for marksmen hackers.

Frankly, the truth could be either; he has no idea. This explains why the biotech CIO let his guard down. Basically, his barrage of questions amounted to: “Am I normal?”

No one knows. And good luck finding out.