One idea of security is to minimize the total of the cost of losses and the cost of security measures. However, it is easier to measure the cost of security measures than that of losses. This may make it difficult to justify the cost of security measures.
While historically we have had only anecdotal data about losses, thanks to our rapidly increasing scale, laws requiring disclosure of breeches, and open source intelligence reports like the Verizon Data Breech Incident Report, we know a great deal more.
I had one Fortune One Hundred client that budgeted for losses at the level of a line of business. While the first year was little more than a guess, a decade later they have confidence in their numbers and have pushed them to smaller business units. Just putting the line in the budget has caused the collection of actual data.
The security staff uses the budget and actual figures to justify the cost of security measures. Performance against budget allows them to assess their risk analysis and management program; losses are inevitable but are they greater or less than our expectation.
Business unit managers use the numbers to make decisions about security measures and to negotiate with information technology. They manage the cost the same as any other. As with any other expense, the budget tells them the level of losses that higher managment has accepted.
Budgeting for the cost of losses makes this expense peer with other expenses and subject to the same effort and control as other expenses. It puts the responsibility on the line of business where it belongs, It moves us one step closer to professional security based on data rather than on intuition.