Special Feature
Part of a ZDNet Special Feature: Security and Privacy: New Challenges

Cybersecurity spending: How to know when enough is enough

Other than spending all their cash on antivirus, firewalls, intrusion detection and more, how do companies balance the security risk and the realities of their IT budget?

Such is the cybersecurity threat that it would, in theory, be possible for CIOs to dedicate most of their IT budget to building impregnable defences. Consultant PWC reports that the average large business spent about $10.8m on information security during 2014. Analyst Gartner, meanwhile, estimates that the average company allocates about five per cent of annual IT budget to security.

The amount of cash committed to security varies by sector, with professional services, healthcare, and finance amongst the highest-spending verticals. With mobile and cloud technologies continuing to transform the way businesses in all sectors use information, how do CIOs budget for security and how do they work out the right level of risk? Here's some advice from experienced users.

Assessing the risk and building a strategy

Tim Holman, chief executive of 2-sec and director of the Information Systems Security Association (ISSA), says it is extremely difficult to define the right level of spending for data protection. Investing in information security involves buying something to help ensure something might, or might not, happen at some point in the future.

Read this:

​Denmark throws down $75m to build up offensive cybersecurity capabilities

Denmark becomes the latest country to bestow its intelligence services with the power to launch offensive cyberattacks.

Read More

Holman appreciates that such an ephemeral business objective will not necessarily rest easily with the organisation's bean counters. "Spending on security is not like buying a piece of software, or entering into an outsourcing arrangement where the return on investment is easy to measure," he says, suggesting that CIOs looking to justify IT security spending should draw an analogy with insurance.

"Companies will quite happily spend thousands insuring their offices against the risk of fire or theft, but it is very rarely the case that offices burn down and a policy is invoked," says Holman. "It's all about perception. A board can relate to fire, and its deadly effects, but they have great difficulty relating to hackers or disgruntled employees taking down their business at the flick of a switch."

Doug May, regional IT manager for aircraft manufacturing specialist Messier-Bugatti-Dowty, says the key to establishing the right level of risk is to help the business understand the cyber threat. He says close collaboration and regular communication between the technology team and the rest of the business is vital. Like Holman, May says good IT security is a form of insurance -- you might spend a lot of money on protection and never have the need to call on the coverage.

"Just because your firm hasn't been hacked, it's difficult to turn around to the rest of the business and say that having a high level of protection has delivered a great return on investment. To make sure the understanding of security concerns is higher, CIOs should create a risk-benefit analysis and develop shared responsibility with the rest of the organisation," he says.

"The IT department is good at making decisions in isolation and security is one area where technology teams should not work alone. Sit with the rest of the business and work out the risk of spending a certain amount of money on a specific level of control. Work in collaboration and develop a strategy."

The requirements for each strategy will vary between sector and organisation. Working Links CIO Omid Shiraji says that, while security represents the number one reason for existing for some companies, he would rather channel his firm's IT budget towards the areas that are going to add real value.

"The cyber-threat and security in general can be blown out of proportion -- if someone wants to compromise your organisation, they will," he says. "Breaches will occur. For me, great security is all about recovery. What you must make sure as a CIO is that you have the best possible recovery procedures, business continuity processes, and crisis management approaches."

Going on-demand and working with partners

Shiraji says the cloud presents a challenge, not only to the way CIOs procure services, but also in terms of how they think about IT security. He believes cloud is becoming such an accepted way of delivering IT that many of the security fears associated to holding data externally are beginning to dissipate.

"I'll never be able to invest the kind of money in software that a company like Google or Amazon does in regards to security," says Shiraji. "For many CIOs, it just makes sense to work with these extremely well-governed suppliers. But you must work with partners who you can trust."

He says these trusted suppliers must be aligned with your business's best practice and boast high standards of accreditation and certification. Shiraji believes that the ever-growing requirement to work closely with suppliers will have a knock-on effect with regards to the make-up of internal IT departments.

"You're looking for people with a unique skill set. CIOs increasingly won't need traditional security skills in-house. Instead, IT leaders will be looking for people with expertise in assurance," he says.

"These will be people who understand external cloud provision who can challenge vendors in terms of their claims. CIOs will need people internally who assure the executive team that the parties are safe, secure, and that there assumptions are valid."

Former CIO turned digital advisor Ian Cohen says the basic role of the IT professional will continue to change as the impact of digital technology takes hold. But the key tenants of successful IT delivery -- such as security, reliability, scalability, and flexibility -- will remain the same.

"If you don't understand now how to work with vendors, around issues such as data ownership, information security, and governance, you'll still get IT management wrong in the era of the cloud. The challenges of the past have not just gone away because of clouds or other new service provision models," says Cohen.

CIOs, and the trusted lieutenants they use to provide guarantees around service provision, will still need to show great abilities in regards to how they procure technology and structure contracts for the benefit of the business. What the cloud provides is an opportunity to add new flexibility and speed into the relationships they build with their ecosystem of partners.

"Your contracts with suppliers will have to be more fluid and allow the business to increase its use of resources on-demand," says Cohen. "Modern IT must be about assembling solutions and enabling business outcomes rather than just running 'things', such as desktops, servers or even mobile devices."

Read more on cybersecurity