Is it really important to have a structured security budget? (part3)

Saturday, May 01, 2010

Dario Forte


An example of mapping budget v. risks

One management practice that is often applied in structured organizations involves reporting the entire set of IT budget portfolio projects according to a view that links risk with value, as agreed between business functions and the IT department on the basis of predetermined yardsticks. 

In order to do this, it is necessary to pick out projects whose high risk rating qualifies them for a detailed examination. To improve budget management, it will be necessary to determine the value of the initiative, devise a general economic investment plan and work out the priorities for subjecting the projects to the risk analysis process determined by the organization. Generally speaking, the highest priority goes to projects with lowest value and highest cost. While on the one hand it might seem to be an unrepeatable exercise , on the other there are a number of benefits:

  • Awareness: i.e., getting both IT and business functions used to considering risk analysis as one of the fundamental aspects of a project, on a par with cost, return and resources involved;
  • Security Governance allows those dealing with information security to maintain oversight over all business initiatives and technological changes;
  • Normalization of company risk assessment factors;
  • Derivation from the IT project plan of a superset of evolved security systems that are consistent with and integrated into the company security system.



The traditional approach to security in many companies has been tactical in nature, with projects that involve no commitments outside of the IT department. Now it is necessary to make an effort to satisfy protection needs dictated by management, as is true for any other area of the IT budget. This is an important change that shifts the focus (thank goodness!) onto strategic aspects, and can be facilitated by incorporating business risk and value analysis into the IT budget making process. The active participation of the IT security director is essential in the construction of the budget for IT projects so that he or she can design and present to management a suitable and shared security solution, respecting general company policies and development guidelines and orienting the various needs to integrated, scalable, standard and shared solutions. It is also important to remember that the budget "delivered" into the hands of the security manager will be directly proportional to the perception of personal legal risk to top management, who must authorize the outlay, but also to contingent company compliance needs. This latter certainly merits a comparative calculation not only in terms of the value of the information but also regarding possible penalties, which will be high in the event of violation of applicable local and international laws.  

If you are interested in listening the complete series of posts you might also download my Security podcasts Here

Possibly Related Articles:
Budgets Enterprise Security
Enterprise Security Budgets
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.