The Information Security Budget
If you are in charge of the IT security at your company, especially small and medium ones, you probably feel your stomach ache when the subject is your share at the IT budget. For the last few years this ache probably got better, but still hurts (especially this year).
Managing the IT security budget in recession times is a theme widely discussed already, but I will write my share.
Talking about information security, in a business scope, is talking about manage risk. In recession times, knowing what risks your company is facing is the same as having a map of a mine field. The more accurate is the map in your hands, the less mines will blow. The problem is that at these times, the company needs to accept more risks, than mitigate it. This means that your company will blow some mines on the way. As a risk manager, is up to you point the blows that will spill less blood (read loss of money).
A big problem when you are trying to justify a budget for a security project (in recession or not), is that normally there is no ROI involved. A way of trying to justify the ROI is having metrics in your hands. Showing numbers about incidents, their frequency, and respective impacts (read loss of money, again) is the best way to get what you need. If you are thinking now “What metrics is he talking about?”, then you have another problem, and maybe your next budget must cover that. Doing the metrics is not cheap, depending on the size of your network. A well managed and documented incident response plan cost, above all, knowledge and time. For tools, there is some open source solutions that can do the work pretty well (ossim).
So, in short, what will get you out of this crisis more easily is planning and strategy (hope you already have some) rather than expensive technology, and you will get out of the mine field quite good.
Be safe.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
