In today's never-ending cycle of new technologies, cyberthreats, and regulations, it's almost impossible for chief information security officers to meet all of the modern organization's security demands. Adding to this difficult environment, senior leadership now evaluates CISOs not only on technical performance, but also on how they manage information security as a business -- prioritizing expenditures and making tough financial calls.
Despite growing risk profiles and threat landscapes, security organizations are under more financial pressure than ever. Although there are a variety of methods to estimate the security organization's budgetary requirements, most fail to provide financial flexibility, objectivity or the ability to communicate the value of information security. Furthermore, most CISOs admit they don't think strategically about their security spending.
Cybercriminals have a business plan -- so should you
Cyberthieves, on the other hand, have well-developed business plans as part of their attack strategy. They target specific information assets because they know the street value of what they steal. This knowledge drives their planning and allows them to think in the long term. The result is an environment in which cybercriminals don't need to spend a lot to steal a lot: Well-defined markets exist for stolen information. Meanwhile, the cyber agents hired by governments to steal data for political and economic gain operate under their own rules.
The harsh reality is that CISOs are at a competitive disadvantage because, while cybercriminals have well-developed business plans, CISOs do not. Forrester has spoken to many CISOs who tell us they do "a pretty good job at budgeting," but struggle to define a clear business case for security spending. When pressed further, however, most ultimately admit they are not sure whether they are really good at what they do or are just lucky.
The value of information is a percentage (up to 100%) of the current and future revenue the information will produce, less the direct and indirect costs needed to produce, manage and protect the information.
Information produces revenue
All executives understand at some level that the information created and consumed by the business has value. Accountants currently view information as an intangible asset, while machinery and other hard assets are considered tangible. Considering that information now drives modern economies, this accounting practice is outdated. We are now at the point where information should be considered a hard or tangible asset, similar to land or machinery. For example, like any other hard asset, information can depreciate in value and can be shipped, broken or destroyed. Organizations need better methods to value or monetize these information assets.
We can and should use this simple definition of the value of information: The value of information is a percentage (up to 100%) of the current and future revenue the information will produce, less the direct and indirect costs needed to produce, manage and protect the information. True business cases are built on the concepts of profit, loss and acceptable margins. CISOs should use this same approach by associating the costs of protecting information with the revenue that information helps generate.
CISOs have long struggled with techniques to accurately estimate budget requirements. If you're in this situation, focus on the business basics. The income statement and the balance sheet are the primary means to determine the health of a business. Use these tools to support the planning process in information security by following these steps, adapted from Forrester's Information Security Value Model:
More security tips from Forrester
Information security teams in line for more money, but talent scarce
Realities of risk today require a chief business security officer
First, determine the revenue contribution of your information. Different information sets have different value. Some information is critical to the business -- for example, the design for the next-generation iPad. Other information is not -- the design of the original 1984 IBM-PC, for example. CISOs should work with their business partners to focus on first protecting the information that is important to current and future revenue.
Next, predict variable costs and determine fixed costs. Characterize information security costs as either variable or fixed. Variable costs will increase proportionally to the level of security activity in the organization. Depending on the type of business, these costs could include additional salaries, overtime pay, consulting, communication costs, and system restoration or repair.
Fixed costs are those that remain the same regardless of the number of breaches you experience. Depending on your type of business, some typical examples would be rent, interest on debt, insurance, plant and equipment expenses, business licenses, and the salaries of permanent full-time workers. Costs should be relevant, reliable and consequential.
Finally, calculate security value as a ratio of protection costs to revenue. Forrester proposes a new measurement of security value that can be expressed by this ratio:
Security costs:revenue = information security value
Here, security costs are the total costs needed to protect revenue-producing information and information with compliance and risk implications. Revenue is the income produced by the information assets associated with those security costs. Using this approach will help you think more like a financial officer and manage this ratio down over time, so you can demonstrate the focused and efficient use of resources.
Even though information security budgets remain largely flat, you can still reallocate resources and focus on what really matters to the business. Security programs that get only 5% to 6% of the IT budget still have real money to work with. Don't keep spending on security efforts if they're not associated with revenue.
Ed Ferrara is a principal analyst at Forrester Research Inc., serving security and risk professionals.
This was first published in January 2013