Chief security officer at security specialist McAfee, Martin Carmichael says many companies regard spending in the area as a necessary evil, and something that delivers little real benefit to the corporate bottom line.

While a business manager can accurately quantify the benefits that will flow from employing two more sales people or investing in a new manufacturing line, they can’t do that when it comes to security spending.

“Vendors are selling using the fear, uncertainty and doubt principle, and that is not generally how business works,” says Carmichael. “People are told that the world is a dangerous place and if you don’t take certain steps and spend money then you will strike problems. We need to move beyond this.”

Carmichael says companies should be able to accurately quantify the security risks they face and then accurately apportion their IT security budgets to meet that risk. Failure to do this will mean they are likely to either grossly over or under spend on security products and services.

Security should be approached in the same way as risks such as currency fluctuations or changes in trade or market conditions. Each risk can be given a score and resources allocated as is deemed appropriate.

“We need to be more effective at describing risk in a way in which management can understand and then make an informed choice. This is exactly the same way in which you get a credit risk score or are assessed for an insurance policy.”

Carmichael, who will outline his approach to corporate security issues at a business conference in Sydney later this week, believes many companies see security as bottomless pit. Large amounts of money are continually poured into it, but there is little change of a real business benefit emerging.

However, if a company can critically analyse the risks it faces and match spending to those risks, it’s possible to measure a return on investment for corporate security spending.

“Often, the people who are making the decisions (on spending) don’t understand what they are getting,” he says. “They just say ‘make it more secure’ as though there is a silver bullet.

“But we need to be able to say, ‘here is your risk score, and if we spend this much it will change the score to this’, and then they are able to make an informed decision.”

At present, Carmichael says, many companies allocate security spending budgets using little more than educated guesswork. By taking a more structured approach, budgets can potentially be reduced as the dollars being spent are actually doing what’s required.

“Everyone in the US knows that planes can destroy buildings, but you don’t go to the expense of constructing buildings that can withstand that kind of attack – it would be prohibitive,” he says.

Rather, financial resources are better focused on areas that will reduce the risk of attack. It’s this approach that will better serve companies struggling to ensure their infrastructures are robust without breaking the bank to do it.

Carmichael recommends companies work with their security vendors to develop an accurate portfolio of the real risks they face. Only then can they expect to see a return on the investment they are making.

Tags See All Tags

Ian Grayson  Management  Security