Should Fear Justify Spend?

Cyber security has always featured highly in the list of CIO priorities, and that position doesn’t look like it will change anytime soon.  In fact, following a spate of high profile security breaches, information security isn’t just an IT Manager or CIO initiative – it’s a Board level conversation.  Directors are becoming acutely aware of the reputational damage a security breach can cause, not to mention the directly associated financial implications that can come from fines, through to the cost of forensic analyses.

However, when it comes to justifying a security project, there is a fundamental flaw in the way most cases are put to the CFO.  Fear of what might happen is the common language in such proposals – a breach could lose you all your customers; it might cost millions in fines; it may take years to recover from the reputational damage.  These statements might be true, yet similarly, they might not be.  A breach might not occur, or if it does, it may go unnoticed by the outside world, so there will be no fines, and no reputational damage.

The other issue with building a business case based on fear, is that it doesn’t permit a quantative analysis.  The justification for security spend should not solely be based on fear, nor can it be a purely mathematical exercise.

Analysts report that organisations with mature cyber security provisions are spending between 10% and 15% of their IT budget on security.  This is a great point to start the business justification; yet some data and some applications are going to be far more important than others, and the impact of a security breach will be felt differently depending upon its target.  Understanding the total cost of service delivery, relating that to its importance and sensitivity, and then justifying security spend based upon a proportion of that cost, is an excellent way to ensure that security spend is focused in order to protect your most valuable assets.

At Accordant our core focus is on developing and delivering a unique set of services, bespoke to an organisation’s needs, which encompass service cost analysis, risk assessment and business justification, thereby ensuring that budgets are prioritised efficiently and effectively.