Justifying IT Security

Tuesday, September 21, 2010

by Ira Winkler  Author, Spies Among Us

image

One of the most difficult issues security managers have is justifying how they spend their limited budgets. For the most part, information security budgets are determined by percentages of the overall IT budget. This implies that security is basically a “tax” on IT, as opposed to providing value back to the organization. The fact is that security can provide value to the organization, if there is a discussion of risk with regard to IT, as
much as there is a discussion of risk with regard to all other business processes.

Calculating a return on investment for a security countermeasure is extremely difficult as you rarely have the ability to calculate the savings from the losses you prevented. It is akin to being able to pinpoint automobile accidents you avoided by driving safely versus recklessly. There is no way to accurately determine that information.
 
However, if you start to consider that Security is actually Risk Management, you can start determining the best countermeasures to proactively and cost effectively mitigate your losses. By determining the vulnerabilities that are most likely to create loss, you can then compare the potential losses against the cost of the countermeasure. This allows you to make an appropriate business decision as to justifying and allocating a
security budget.
 
More importantly, if you can make such a business decision, you can justify increasing security budgets for additional countermeasures. The key is to be able to specifically identify an area of potential loss, and identify a security countermeasure that cost effectively mitigates that loss. This paper discusses the management of Risk and how Vulnerability Management is one of the few counter-measures easily justified by its ability to optimize risk.

This paper discusses the management of Risk and how Vulnerability Management is one of the few counter-measures easily justified by its ability to optimize risk.

 

image

Qualys, Inc. is the leading provider of on demand IT security risk and compliance management solutions — delivered as a service. Qualys' Software-as-a-Service solutions are deployed in a matter of hours anywhere in the world, providing customers an immediate and continuous view of their security and compliance postures. The QualysGuard® service is used today by more than 4,000 organizations in 85 countries, including 42 of the Fortune Global 100 and performs more than 500 million IP audits per year.

 

13744
Budgets Enterprise Security
Enterprise Security Risk Management
Post Rating I Like this!
5e402abc3fedaf8927900f014ccc031f
Allan Pratt, MBA This is incredibly useful, thanks, Ira!
1285128602