Wouldn’t it be nice if you could just talk to a few colleagues in other companies or organizations to ask what they spend on security, and use that to set a rough budget for things like policy creation, personnel security, threat and risk assessments, audits, application security, penetration testing, incident response, education and awareness, etc.?

It sure would be nice. But that could be somewhat like using your sister’s soccer equipment costs to budget for your sailing hobby expenses (OK, that’s an extreme example). Unless you have a very similar business model and market, you will likely be comparing apples and oranges. Unfortunately, many security vendors and consultants will present a “standard” set of “typical” costs to simplify the situation in order to sell the business.

The problem that needs to be addressed is that a minor difference in risk tolerance, business model or target market can cause large variations in the number and location of risk exposures. That’s not to say you can’t do any benchmarking, but you have to be careful what you are comparing, and expect a certain amount of variation; perhaps more than in other budgeting exercises.

Here are some points to consider if you are looking to benchmark for security budgeting:

  1. Has the target market been well defined? The shear number of suppliers, partners and clients you are dealing with can affect your ultimate exposure.
  2. Is there an information asset inventory? Understanding exactly what types of information being handled within the organization helps in understanding if the same types of information sensitivity issues will be encountered across organizations.
  3. How similar are the business models? While one organization does a lot of custom work without well-defined processes, another may use automated systems with Web self-service and commercial off-the-shelf products. When you look at information flows in different business models, you can find that some organizations have much larger exposures than others that need to be addressed.
  4. Are the regulatory and compliance requirements similar across organizations? Some businesses are subject to government or industry regulations that demand prescribed information security safeguards and regular compliance reporting. This is often dictated by the target market in (1) above. But even organizations subject to the same regulations may interpret them differently, depending on their risk tolerance, as discussed in (5) below.
  5. Do the organizations’ management teams have similar risk tolerance levels? Depending on corporate structure, some organizations choose to accept higher levels of risk, which can certainly reduce the security budget requirements. However, there is inherently an expectation that accepting higher risks will result in either more frequent incidents or higher impact incidents. This is something that is not often done. When two organizations with higher risk tolerance, or no assessed risk tolerance compare budget costs, they will likely have little or no relation to each other.
  6. How similar are the organization’s historical records for security incidents, breaches, extraordinary losses and legal costs.

So, just because two organizations have similar security budgets, it doesn’t mean they will have the same risk exposures and, therefore, costs.

When you analyze security budgets you should also be looking at both the budget side and the past performance side.

All this to say that you can expect wide ranges in budgets, quoted costs and actual costs when it comes to information security. It’s just something we learn to live with. But the sooner you are able to characterize your own organization’s information handling requirements and methods, the easier it will be to tell if another organization’s cost structure for security is relevant to you.

The last thing you need to be doing is wasting time on irrelevant analyses when you are already under budget pressures.