7 years old me did not apply to this topic, which is a long enough time to once again raise it to the flag and look from the height of accumulated experience. At that time, one of the most popular approaches in allocating money for information security was to use % of the IT budget, and the key question was what this percentage should be. Until now, there is some misconception that the value of this indicator should be at the level of 7-12%. Therefore, it is believed that the cost of protection should be approximately 10% of the cost of the protected IT infrastructure.
This position comes from the misconception that information security is part of IT and is designed to protect IT systems. But it’s not like that! In our country, even the FSTEC is engaged in the regulator in the field of technical protection of confidential information, and not information systems. And it is right. At the first, simple, level of perception, we protect, first of all, information, the value of which can be calculated in different ways – both by a cost method, and by an income or market one. But in most cases, it exceeds the cost of the infrastructure that handles it. Another issue is that we often do not know how to calculate the cost of information and therefore we cannot answer the question posed in the title of the note.
At last week’s PHDays cyber festival, I moderated the CISO 2.0. With a board on the same board” with five acting heads of information security, 3 of which reported directly to the first person of their organization, and not to IT management (there was only one such director of information security in the discussion). The fifth head of information security shared the observation that in our country about 70% of CISOs are not subordinate to IT.
It turns out that the approach of forming the budget for information security from the IT budget, although it has the right to exist, is not prevailing and should not be considered as a dogma and a guide to action.
But if you do go down this path, then yes, 10% of the IT budget will be the most common option, which is called by the majority of CISOs from that fifth of companies that are subordinate to IT.
However, this was in 2018 and a lot could have changed since then. For example, according to Kaspersky Lab data, which were published On February 10, the average amount of spending on information security in Russian organizations in 2022 amounted to 19% of the IT budget. In small and medium-sized businesses, this figure is just over 50%!!!
But for me, these figures look a little strange and I would suggest that such growth is more likely due to the departure of foreign information security companies from Russia and the need to switch to domestic solutions, rather than an explosive growth in interest in information security and an increase in the budget for it.
I would still focus on completely different factors that should be taken into account when budgeting information security. As part of the educational program “Cyber Resilient Organization: Managing a Company in the Digital Storm“, which was developed by Positive Technologies and Moscow State University, and where I give several lectures, I prepared a separate material on the topic of information security budgeting (as it turned out, this is a very popular question among top managers who participated in the training). I have identified and described 8 approaches to solving this issue:
I can draw three key conclusions:
- There is no universal approach to budgeting, and certainly the definition of the budget in% of IT is not the only true and correct one!
- The budget depends on the tasks of the information security service. Today you can have X rubles, and next year 2X, and in a year 0.5X. Such volatility means absolutely nothing. As part of import substitution, obviously, your budget will increase. And then it starts to shrink. And then you decide to buy the security tools you need like air, and the need for the budget will increase again, and then you will go to the clouds and the capital costs for information security will decrease again.
- The budget depends on what you are protecting or what you are preventing. If you are protecting the network, then yes, it is strange when the NGFW you buy will cost more than all your switches and routers combined. But if you protect the organization from theft of money in the amount of 20% of profits or 4% of turnover, then the cost of an NTA / NDR class solution will be negligible against the general background. If you are trying to protect yourself from a fine of 60 thousand rubles for leaking personal data, then the project to bring yourself into line with Federal Law-152 for 24 million rubles looks strange. But the same amount can be quite adequate if you set yourself the task of ensuring customer loyalty and protecting them from leaving, which, with an average check per customer of 5,500 rubles a year and a number of customers of 500,000 and 10% leaving due to a leak their personal data can lead to losses of 275 million rubles (a ratio of 1 to 10 has a right to exist).
4 years ago at CISO FORUM, Dmitry Manannikov proposed a simple test: “Reset” the entire budget for information security that you spent during your work and answer – are you ready to spend this money again on the same thing that you spent in the past?
And what about abroad? How is the size of the cybersecurity budget calculated there? If you google the internet for % of IT spend, yes, you will find quite a few interesting links to articles and studies (I did that in 2016, which led to the birth of the original article). But if you ask this question to those who allocate money for the budget, the result will not be so unambiguous. Yes, the IT story will still prevail, but there will also be many who follow a path that is not simple, but based on the needs of the organization to manage specific current risks or unacceptable events. And how in this case the budget for information security will turn out, more than IT or less, in the amount of 10% of IT or not, the tenth question.
“We have an extra 100 mowers in our budget. Decided to invest them in security and team building. This month we are splitting into two teams: Counter-Topists: devops, admins, security guards and everyone else who is supposed to have access to the bases. You must protect the combat databases, and then weaving is yours. If you can’t, then from your quarterly bonuses we will subtract a hundred, which we will play for next month. Tepporists – everyone else. Must drop at least one combat base, preferably along with all backups. Whoever does the most damage takes the pot. There are no rules, you can even catch each other with soldering irons in the entrances.»
From the telegram channel “I’m CTO, bitch”