Realigning Information Security InvestmentsBudgets Need to Be Focused on Top Risks
Organizations, in budgeting for information security, often place their efforts into areas that have no impact on business processes.
Governments and businesses need to align their security investment with their respective organization's risks, says Dwayne Melancon, chief technology officer at IT security provider Tripwire, which recently sponsored a survey by the Ponemon Institute on enterprise information risk management.
"What we found is that a lot of organizations have a really unbalanced approach," Melancon says in an interview with Information Security Media Group's Eric Chabrow [transcript below].
"A lot of times [organizations] will apply a huge percentage of their security budget to areas that really have no direct relevance to either retaining customers [or] driving revenue," he says.
To correct this issue, risk needs to be focused to help organizations rationalize where to apply security budgets appropriately. "If you can start to have a good discussion about what's really most important to the business, it really helps you to prioritize things when you look at pieces of infrastructure or business services," Melancon explains.
The risk-based security management survey included 2,145 managers and executives from organizations in the United States, United Kingdom, Germany and the Netherlands.
In the interview, Melancon discusses:
- Findings from the survey;
- How organizations approach IT risk management;
- Ownership of IT risk.
Risk Management Survey
ERIC CHABROW: I understand you have some new stuff coming out. Why don't you tell us about it?
DWAYNE MELANCON: It's really kind of independent of the company, but we're involved. We sponsored a study to really gauge the state of risk management in enterprises today. This came about because we've noticed that more and more technical executives have to appeal to non-technical counterparts in the business, and one of the challenges they're having is establishing relevance and connecting their activities to what's really important to the business. And kind of the side effect to that is that they end up having difficulty either getting projects funded or getting their share of the budget. What we found is that risk provides a really great lens for people to have those meaningful conversations and bring some kind of objective conversation to the table.
CHABROW: Why don't you tell us a little bit about what you found?
MELANCON: A few things emerged. One was that a lot of companies are talking about risk, but not a lot of them are actually doing much about it. ... This is a survey of about 2,000 individuals across four different countries with a wide variety of different industry segments, and we found that 77 percent of them said that risk management was really important but less than half were actually doing anything about it, and about half of those - roughly a quarter of the respondents overall - actually had formalized risk management programs in place.
CHABROW: Why do you think they weren't doing much about it?
MELANCON: I think some of it is that there isn't as much cross-functional buy-in that's necessary to get this to happen. One of the things is [it's] a little bit like you've got a superhero in the IT world that's trying to get everybody else to believe what they're doing and support what they're doing, and until other people buy in it's really a one-sided battle. One of the things that we found is that if you can start to have a good discussion about what's really most important to the business, what the consequences are if it becomes unavailable or gets compromised, and then kind of start things there, it really helps you to prioritize things when you look at pieces of infrastructure or business services or things like that, which ones do we really want to invest in protecting, or which ones can we kind of let slide until next year.
Ownership of IT Risk
CHABROW: Let's talk about the ownership of IT risk. Should it belong to the IT organization or no?
MELANCON: I believe that it needs to belong to the executive level of the organization, so it can't just be IT on its own. It needs to be [in] some cases maybe the CFO, chief legal officer, some of the business unit management needs to be involved and things like that. You can't abdicate all the responsibility to just IT risk, because so much of this stuff is intertwined with people, process, hiring practices and things like that. It's got to be a cross-functional effort.
CHABROW: Were there other things the survey revealed?
MELANCON: One of the other things I thought that was pretty striking was what people were considering as metrics. One of the things that emerged was a lot of people were looking at their IT security spending as a metric and I believe that's more of an indicator that ... you can't magically raise the budget and all of a sudden your risks are taken care of. By the same token, you can't lower the budget and expect risk to decline in the same amount. What you have to do is really align the security investment with where the risks are. What we found, kind of a third area, is that a lot of organizations have a really unbalanced approach. Where you ask them what's most important, those aren't always the places that they're investing to protect. A lot of times they will apply a huge percentage of their security budget to areas that really have no direct relevance to either retaining customers, driving revenue, recognizing revenue or booking sales or other things that are important to the company and you kind of have to ask yourself, "Why are these things so out of alignment?" I believe that a focus on risk will help you rationalize this and normalize this so that you actually apply security budgets and security resources in direct proportion to where the risks are.
CHABROW: Any other thoughts?
MELANCON: The other aspect is this is our first kind of benchmark of the state of risk management in the industry. We're going to continue to do this and what we're hoping to find is that as we help people understand not only where the issues are but how to solve some of these gaps, next year when we do this and the following years we actually see some improvements in some of these risk management areas.