Tuesday, February 20, 2018

Budget for the Cost of Losses

One idea of security is to minimize the total of the cost of losses and the cost of security measures.  However, it is easier to measure the cost of security measures than that of losses.  This may make it difficult to justify the cost of security measures.

While historically we have had only anecdotal data about losses, thanks to our rapidly increasing scale, laws requiring disclosure of breeches, and open source intelligence reports like the Verizon Data Breech Incident Report, we know a great deal more. 

I had one Fortune One Hundred client that budgeted for losses at the level of a line of business.  While the first year was little more than a guess, a decade later they have confidence in their numbers and have pushed them to smaller business units.  Just putting the line in the budget has caused the collection of actual data. 

The security staff uses the budget and actual figures to justify the cost of security measures.  Performance against budget allows them to assess their risk analysis and management program; losses are inevitable but are they greater or less than our expectation. 

Business unit managers use the numbers to make decisions about security measures and to negotiate with information technology.  They manage the cost the same as any other.  As with any other expense, the budget tells them the level of losses that higher managment has accepted. 

Budgeting for the cost of losses makes this expense peer with other expenses and subject to the same effort and control as other expenses.  It puts the responsibility on the line of business where it belongs,  It moves us one step closer to professional security based on data rather than on intuition. 

1 comment:

  1. This makes eminent sense in any endeavor where there is some histoy of loss that can be used for the purpose of statistical analysis. Unfortunately, in areas where we are just starting to see cyber attacks (or any other kind of attack) the lack of a statistically significant history.

    A great case in point is in the area of industrial control system security. With verifiable attacks just starting to happen, security managers can no longer maintain that they are protected by 'obscurity' or 'air gaps' or any of the standard ICS security myths, but they do not have enough data to make a legitimate guess about either the potential extent of an attack surface, the magnitude of the loss, or even the probability of an attack event happening at a given site.