The Art of Budgeting for IT Security Breaches

Total security for a corporate network may be a goal of many IT executives, but no matter how much a company invests in security systems, breaches — originating either outside or inside a corporate network — are a fact of life in the information age.

Given that security incidents are inevitable, how can IT executives budget for them, earmarking funds to cover staff overtime, replace hardware and software, and pay security specialists to investigate an attack? After all, it is difficult to quantify losses due to a breach, especially when no company wants to admit that they occur. Moreover, in an era of IT belt-tightening, requests for money “just in case” may not be greeted warmly by boards of directors.

On the other hand, by planning for the extra resources needed to respond to a breach, CIOs can minimize damage, enabling their IT staff to quickly repair and restore systems to full operation. Can they accomplish this in today’s IT climate?

Analysts say it can be done — but it probably is not happening too often. Security remains a well-intentioned afterthought at many corporations.

“Expenditures being made today are expected to provide immediate return on investment,” Yankee Group chief research officer Brad Hecht told the E-Commerce Times. “That’s kept security spending in general from climbing up the priority ladder.”

Physical, Yes; Virtual, No

In the wake of the September 11th terrorist attacks, there was a widespread belief among technology executives that greater importance would be placed on corporate information security. Supporting that contention, scores of companies did make immediate attempts to improve their business continuity and disaster recovery capabilities. However, many industry watchers say that push did not translate directly into increased spending on IT security.

In other words, Hecht said, CEOs and board members saw the physical fallout from September 11th and scrambled to prepare their companies for such a scenario, but many were not as diligent about securing their enterprises against threats that exist in cyberspace.

Still a Struggle

Why might IT execs have trouble convincing a CEO to spend money on information security?

Siebel Systems CIO Mark Sunday told the E-Commerce Times that although corporate boards are more aware of security issues than ever before, they still do not fully understand them — and most boards are reluctant to fund what they cannot grasp.

“As aware as CEOs and boards have become of security issues, spending in that area hasn’t gone up in proportion and certainly not to the levels people expected,” Sunday said. “That makes it difficult to build in extra budget to plan for the worst.”

Sunday noted that Siebel, which has been focusing on security issues for several years, made additional investments in business continuity post-September 11th, building a backup system that enables all Siebel data to be up and running from a secondary location within six minutes. That type of investment is typical of large corporations in the United States, he said.

Hope for the Best

In addition, figuring out a financial target for a budget line item dealing with IT security breaches could require exploring dozens of possible scenarios. That in itself could be a costly process.

Bill Van Emburg, COO of systems and security integrator Quadrix Solutions, which counts JDS Uniphase and AT&T among its customers, told the E-Commerce Times that although prevention can help minimize the losses associated with security problems, every enterprise must calculate differently when figuring out how to budget for breaches.

“There is no dollar figure that you can allocate to this exercise,” he said. The amount a CIO should consider earmarking could depend on whether an enterprise has purchased security insurance and how likely an attack or failure is. That likelihood, in turn, may depend on whether or not the company is a high-profile target and how much preventative security work has been done.

According to Van Emburg, most companies would do best to invest any just-in-case funds in upgrading existing security systems, such as firewalls or intrusion detection systems. “Too many companies set up systems and then forget about them,” he noted. “Security isn’t a passive thing.”

While it is true that companies should keep their security systems up-to-date, breaches will occur no matter how sophisticated those systems are — and an unprepared firm will lose more time and money in the long run than an enterprise that is ready to respond. Boards of directors would do well to remember that when allocating IT funds.