According to a study and blog by Enterprise Strategy Group, over half the organizations surveyed will increase their security budgets in 2012. Spending more does not equate to spending smarter. There is not a guaranteed relationship between security spending and risk reduction. Investment is an important indicator that infers organizations are not satisfied with their current or future stance on security and risk management. But it is just as important to wisely spend those dollars for a meaningful benefit.
Organizations should ensure they have a solid security strategy, are tracking effectiveness by measuring tangible results, and focused on maintaining an optimal level of security, one which achieves the right balance of spending and risk reduction resulting in an acceptable level of residual risk.
According to the report, some will increase security budgets by 8% or more. This can be a significant windfall to strapped security departments, but will likely come with lofty expectations. Before committing to a long term resource increase, executives should review the security strategy. Ask the tough questions. Here is a good start.
Security practitioners will need to justify the spending and more importantly show results. Metrics, although difficult in the security world, are necessary and should be focused on tangible improvements. Here are a few measurement methods which may be considered. For those using the Threat Agent Risk Assessment (TARA) methodology, show how spending will reduce risks of loss for the most critical threat agents and be sure to update your baselines accordingly. This will help in determining the positive cascade affects in other risk assessments.
Lastly, it is a good time to remind security teams and especially senior management that the goal of security is not to be impervious to loss. Rather it is to achieve and maintain an optimal balance of security to manage the risk of loss to an acceptable level. Be forewarned, at some point before the end of the year, don’t be shocked if management comes calling to scrutinize how the investment will pay dividends. Expect some iteration of the dreaded four dirty security value questions and be prepared with sound answers for next year's justification of budget.