Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Discussing IT Security Spending Feels Like Electing a President

Faces From Presidential Candidates

Does Discussing IT Security Spending Have to be Extremist or Establishment?

Faces From Presidential Candidates

Does Discussing IT Security Spending Have to be Extremist or Establishment?

Even a casual observer of this year’s presidential election will come to the conclusion that being a political insider or part of the “establishment” is now a bad thing. But there is an unspoken undertone in this rush to outsider status. Candidates not only declare themselves to be anti-establishment, but the most popular jockey for extreme positions away from the center – whether that’s offering more free benefits than the other candidate or deliberately polarizing constituents depending on ethnicity or religion.

If polls and media reports tell us the future, establishment centrists seem to be a dying breed, leaving voters with a choice between extremes.

Choices in IT security spending can often feel the same way. What is the right level of funding for the risks you face? Should you assume that the prevention is more costly than the cure and spend little? Or if you (or a competitor) have been breached, should you pour resources into IT security? Let’s explore the extreme and established responses to these questions.

What is the board’s appetite for risk?

To determine the right level of funding for the risks you face, one must start at the top. What is your board’s tolerance for loss? At one extreme is the example of Sony Pictures, who succumbed to a major attack in 2014. The IT security budget response was underwhelming.

While the initial investigation and remediation costs were reported at $15 million in the third quarter FY15 earnings report, that same report said that “Sony believes that the impact of the cyberattack on its consolidated results for the fiscal year ending March 31, 2015 will not be material.” In other words, compared to the size of the rest of the business – $68.5 billion in revenue in FY15 – they’re not worried, so it can be inferred that the acceptance of risk is high.

At the other extreme, Home Depot said in a statement that the impact of dealing with its 2014 breach could, “have a material adverse effect on the company’s financial results in fiscal 2015 and/or future periods.” Estimates of Home Depot’s costs come in around $62 million against revenue of $83 billion in FY15.

Advertisement. Scroll to continue reading.

So why the difference?

It would be easy to point to Home Depot’s larger costs, but for Sony and Home Depot, both were less than 0.1% of revenue. The difference is not found in the cost of remediation, but rather the impact on future revenue, which is foremost on the board’s mind. With Home Depot, or in the case of fellow retailer Target, the impact on fickle consumers inconvenienced by the loss of their credit card information can influence business towards a competitor. Legal and compliance fees can be significant as well.

Sony’s losses primarily centered around blunt commentary about movie stars and making the choice to pull “The Interview” from theaters. But “The Interview” wound up making money in syndication from all the publicity, and movie stars are reluctant to sue the studio, as they won’t bite the hand that feeds them.

Security spending has to be weighed against the potential costs for loss, and in the minds of many board members, spending less is worth the risk.

Establishing a budget that balances the extremes

It’s easy to lose sight of balancing costs with risk when responding to an incident. But if you are looking for a way to establish a budget that balances the extremes, the case has to be made on calculated risk compared to the risk tolerance of the board.

There are any number of scholarly resources and models for risk calculation available, but the general approach is:

• Identify the valuable information your organization maintains

• Identify the threats that would find that information valuable

• Assign a probability that the threats will seek out your information

• Identify vulnerabilities that can be exploited by those threats

• Estimate the impact of the data loss to those threats

Don’t forget that impact is more than just the cost of remediation – reputation loss, legal costs and regulatory fines play a role as well. Your board may be willing to accept the risk, but make sure they have all the information for the decision.

As in politics, there are some numbers that are helpful, mandates to be met, and judgment calls to make when discussing an IT security budget that balances the extremes. Returning to the basics of truly understanding risk and making informed decisions is the best way forward.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Checkmarx has appointed Scott Gainey as Chief Marketing Officer.

Jason Hogg has been named Executive Chairman of CYPFER.

HUB Cyber Security has appointed former PayPal and American Express executive Paul Parisi as its Global Chief Revenue Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.