 |
You have one dollar to spend, how do you spend it wisely? |
FUD has been great for security vendors. We personally know an Israeli company who wanted Sarbanes-Oxley compliance so badly, they laid out $1 million on IT security products. Last month, they wanted to survive so badly, they RIFF'd 750 employees. Like the old Arab proverb - "Yom Asal, Yom Basal" (One day honey, one day onion - today it's onion).
We're now seeing companies spend less on security products.
Having less money to spend is an amazing enabler for being more effective.
A recent survey by the Burton Group of IT security professionals found that security budgets are making up a smaller portion of overall IT spending than previously thought. The survey, found that security budgets typically make up about 2% of IT budgets. The number is significantly lower than earlier estimates reflecting 6% to 12% of IT budgets spent on security. Burton Group analyst, Pete Lindstrom also thinks that a smaller security budget could be a good sign.
In a tight information security budget, it is tough to recommend the best ways to invest new dollars or focus resources. You have all those vendor sales persons hovering over you with their pseudo ROI calculations.
However, listen up girls and boys - there is no substitute for pulling out your calculator and asking the VP Finance (or your accountant, or yourself) how much your digital assets are worth in dollar values. Do a Practical Threat Analysis and you will see how to root out inefficiencies and find the most cost-effective, prioritized countermeasure plan.
3 months ago, we did an IT Audit for Sarbanes-Oxley compliance with a client.
After a week with PTA and a ZBB (Zero-based-budget) exercise they slashed $165K from the security budget and reduced their risk exposure by $15 million.
Where I come from - that's real money.
