“We’re not prepared today — we apply manual, ad hoc processes. What we’re doing is appropriate to the threats that we know about, but we worry about the risks that we don’t see and don’t understand. We think we’re in good shape, but know that may be just a false sense of security.”

“We know how our budget’s going to be spent, but as to how we arrive at that number — it’s a bit of a mystery. We’re using a self-evolved process that works for us, but I can’t in good conscience qualify it as best practice.”

“We’re trying to centralize IT spending to put the squeeze on our vendors, so the IT security budgeting process now involves far too many people. It definitely adds time to any project — it takes me an average of eight weeks to get money allocated for anything, even tiny projects.”

These quotes from an insurance firm and two financial companies are among the responses to How Much Security Is Enough, a Forrester Research Inc. report released in August?

Forrester interviewed 50 IT security decision-makers at firms with more than US$1 billion in revenue to investigate how they set security budgets, reports author Laura Koetzle with Charles Rutstein, Angela Tseng and Robert Whiteley.

They found that today’s IT security spending is reactive and inefficient and conclude that firms should tackle IT security by using zero-based budgeting, create scenarios to combat uncertainty and manage security like other business risk.

They report that the interviews revealed that “IT security spending is reactive, unpredictable and expensive. Firms lurch from incident to incident and overspend budgets because they can’t predict the magnitude of future threats. Everybody has a say in the IT security budget. IT security chiefs like the renewed attention business execs are paying to security, but budgeting processes have become cumbersome. Firms need a new IT security budgeting process. Interviewees attribute overspending to unknown risks, but companies need to be smarter about budgeting in the face of uncertainty.”

In fact, the firm charges that the way firms think about IT security is flawed. “Large companies spend millions on IT security but few can rationally justify their spending,” they write.

Forrester’s data shows that barely one-third of firms know the cost of their security incidents in a given year, they report.

“Firms’ IT security spending curves look like a child’s drawing of the ocean — each new IT security incident provokes an after-the-fact technology purchase. Meaning? Firms are well-protected against attacks that have already happened.”

Three-step budgeting

They argue that IT security chiefs must adopt a new three-step process for rational security budgeting:

First, “rather than starting from last year’s spending, firms should budget from the ground up with zero-based budgeting… Starting from zero and working up to a new budget number puts all security investments under the microscope where they belong… Some security budget decisions look easy — like continuing to fund staff salaries to monitor corporate firewalls. But an all-in analysis of costs may show that tasks like these can be cheaply and safely outsourced.

Secondly, “mitigate uncertainty with probability… Which risks are worth worrying about? Simple — those that have a high expected cost… Develop detailed scenarios for each class of security risk.”

They classify security risks as follows: denial of service (DoS), malicious code, compromised access, theft of proprietary information, financial fraud, and equipment theft.

Forrester also recommends thinking about risks in four categories:

• Unlikely and not costly,

• Unlikely and costly,

• Likely and not costly,

• Likely and costly.

The third step is to “manage risk with technology — and other tools. Increased risk needn’t mean spending more on security widgets — rather, firms must combine technology with tools like insurance and process change to create a portfolio of risk management.”

The authors suggest that firms have four strategies available to handle any risk, including IT security risk:

• Acceptance: Count on your response capability.

• Financial: Transfer the risk to someone else. Because the IT security and eBusiness risk insurance markets are in their infancies, firms tend to — incorrectly — ignore IT security risk transfer options. But insurers like AIG and Marsh offer reasonably-priced insurance policies to protect against IT security risks like distributed denial of service (dDoS)-related system downtime.

•Technical: Acquire IT security widgets to reduce risk.

• Procedural: Change how your firm’s people do things.

“Hackers use social engineering techniques, such as posing as help desk staffers to obtain passwords, at least as often as they exploit technical weaknesses. Thus, firms must direct more energy to IT security education and awareness.”

The report also counsels companies to accept risks that are of minor impact, regardless of likelihood; employ financial options for risks that are unlikely but catastrophic; and blend technical and procedural strategies for common and costly events. Firms should combine new technology purchases with IT staff and user training, it stresses.