In my last article, I raised the issue of the value of information security. I suggested that there were a number of ways to address the issue and that companies ought to place a monetary value on their security preparations. I proposed a thought experiment in which the price for selling a company was dependent in part on the state of its security. One conclusion to be drawn from that experiment is that the value of anything, security in this instance, is what someone will pay for it. In that case, given a certain level of security over information resources in an organization, who is paying for it in any given organization?
At the highest level, of course, shareholders are paying for it in private companies, as are taxpayers in public sector organizations. This is accurate but uninformative. The way in which organizations allocate finite resources says a great deal about how they value the objectives of those internal investments. Some funds go to production, some to sales, some to information technology and some to controls, of which security is a significant part. However, it would be foolish to think that the budgets for production, sales or IT do not also include funds for controls, which are pervasive across an organization. How much, then, of the annual expenditure for each business function includes spending on security? Is the cost evenly distributed? How does each affected organizational unit pay its share for security?
The Information Security Function
What, then, goes into the cost of information security? Essentially, costs are incurred for personnel, hardware, software and services. These categories figure into the budget of the Information Security1 function. In addition to the salary of dedicated security professionals, generally the function’s budget (often subsumed into that of IT) goes toward encryption, access management, intrusion detection and prevention, passwords, firewalls, and penetration testing, to give a few examples. Thus, it may be said that the budget of the Information Security function is the total outlay for a company’s security.
But this statement overlooks two very important matters. First, these are not the totality of security expenditures. There are security activities embedded in nearly every business function and there are other functions besides Information Security that perform explicit security roles. Moreover, there is much information in the form of paper records, images and even backup media that is not under the purview of the IT function. Second, the Information Security function is not self-funding. Directly or indirectly, it incurs the cost of security on behalf of the owners of the information and the systems that use it.
Allocation of Responsibility
A portion of the issue of cost is definitional; what in fact does information security consist of? As is often the case, the best (or at least the most widely accepted) answer is to be found in ISO 27002.2 It divides information security into 11 clauses (often referred to conversationally as domains) (see figure 1). Some of these are primarily in the domain of Information Security, but each may involve—even in primary roles— other functions within an organization.
The distribution of responsibilities in figure 1 is based on a typical organization, whatever that means. While any cell within this table may be questioned, the totality of it is indisputable: The Information Security function is a major actor in effecting security but is not always primary in every domain, and in some domains is not involved at all. This is quite clearly stated in ISO 27002: “Information security activities should be coordinated by representatives from different parts of the organization with relevant roles and job functions.”3
Explicit Security Budgeting
Thus, it is invalid to say that the cost of security is borne only or even primarily by the Information Security function. It follows that the cost of security is embedded in many budgets across an organization, but it is rare that these costs are explicitly called out in the budgeting process. Therefore, senior management has a poor understanding of what the total cost of security is within its organization, which in turn hinders its ability to make accurate decisions about the adequacy of the investment in protecting information. I am suggesting that the allocations of these costs be clarified.
For example, human resources should identify all the expenditures required for background screening, including salaries, use of investigation agencies, credit checking and whatever else it does in this regard. The percentage of the facilities budget for data center protection should be clearly stated. Business functions should explicitly bear the cost of authorizing their personnel to access information resources and for removing those access rights when a worker is terminated or transferred.
One result will be a diminution of the Information Security function as a cost center. Many of its functions will be charged back to business functions. Information Security’s direct role will be to protect the engines of security through such generalized measures as policy, encryption and incident management. By analogy, homeowners and businesses pay for electricity; the power company is responsible for protecting the power plants, which represents a cost that is shared across all customers.
No one can state absolutely what percentage of an organization’s operating costs should be attributable to security. The amount will differ among industries and organizations and will be determined ultimately by senior management’s appetite for accepting or mitigating risk. Senior management should have a solid understanding of where the organization’s investments in security should be made and who within the organization should bear the budgetary burden for those investments.
1 The author has capitalized the term “Information Security” when referring to the function, but not when it refers to the concept.
2 International Organization for Standardization, ISO/IEC 27002:2005, Information technology—Security techniques—Code of practice for information security management, 2005
3 Ibid., p. 10.