The adage ‘no news is good news' certainly holds true for corporate IT security. But when success is measured by an absence of security incidents, it is often tempting for business executives to view the growing expenditure on security as overkill.
Such myopia certainly causes disquiet within IT, where awareness of the increase in the variety and complexity of threats – and the potential damage to the business – is acute. So how should senior IT managers build a solid case for security spending?
IT industry analyst group Gartner calculates that, to even have a hope of dealing with threats, businesses should be devoting between 3% and 6% of their IT budgets to security. But in reality that outlay varies greatly, depending on industry sector and geographical region. Gartner's research suggests, for example, that today European businesses actually spend only 1% to 3% of their IT budgets on security.
But, in any case, the focus should not be on any absolute amount, says Shaun Fothergill, business security strategist for systems software vendor Computer Associates in the UK and Ireland. "The really important criteria should be to understand what the risk exposure is and then budget on that basis," he says.
Others agree. "Too often IT people attempt to demonstrate the efficacy of current security efforts through technical measures, rather than by dealing with risk," says Andrew Wilson, senior projects manager at the Information Security Forum, a user group for blue chip companies.
Thrusting the firewall logs in front of senior management might demonstrate that current investments are working, but this is entirely the wrong approach, he says. "Whenever security officers are having problems getting management buy-in it is because it's patently obvious that they are talking ‘techno-babble'. They need to address management using language they can understand."
Without a better of understanding of the risks there is a danger that security spending simply becomes reactive, says Gavan Egan, head of northern European operations at security software vendor Cybertrust. "Too often we see companies carry out a security audit, fix the vulnerabilities; then they audit a year later and fix another set of problems. That's expensive and unfocused."
Instead, he argues, businesses need to prioritise. They need to find out where they are vulnerable, how those vulnerabilities will impact the business and assess the likelihood of that vulnerability being exploited. "In 2002, we identified over 4,000 common vulnerabilities, but only 4% of those resulted in serious attacks," says Egan.
Gauging risk requires the combined input of IT and business management. A technical analysis can highlight the threats to an organisation, but these then need to be put into a business context, understanding and quantifying the impact on the business should they occur.