Who Pays for Security?
Steven J. Ross, CISA, CISSP,
MBCP, is executive principal
of Risk Masters Inc. Ross has
been writing one of the
Journal’s most popular
columns since 1998.
He can be reached at
stross@riskmastersinc.com.
In my last article, I raised the issue of the value of
information security. I suggested that there were
a number of ways to address the issue and that
companies ought to place a monetary value on
their security preparations. I proposed a thought
experiment in which the price for selling a
company was dependent in part on the state of its
security. One conclusion to be drawn from that
experiment is that the value of anything, security
in this instance, is what someone will pay for it.
In that case, given a certain level of security over
information resources in an organization, who is
paying for it in any given organization?
At the highest level, of course, shareholders
are paying for it in private companies, as are
taxpayers in public sector organizations. This
is accurate but uninformative. The way in
which organizations allocate finite resources
says a great deal about how they value the
objectives of those internal investments. Some
funds go to production, some to sales, some to
information technology and some to controls,
of which security is a significant part. However,
it would be foolish to think that the budgets
for production, sales or IT do not also include
funds for controls, which are pervasive across
an organization. How much, then, of the
annual expenditure for each business function
includes spending on security? Is the cost
evenly distributed? How does each affected
organizational unit pay its share for security?
give a few examples. Thus, it may be said that the
budget of the Information Security function is the
total outlay for a company’s security.
But this statement overlooks two very
important matters. First, these are not the
totality of security expenditures. There are
security activities embedded in nearly every
business function and there are other functions
besides Information Security that perform
explicit security roles. Moreover, there is much
information in the form of paper records,
images and even backup media that is not under
the purview of the IT function. Second, the
Information Security function is not self-funding.
Directly or indirectly, it incurs the cost of security
on behalf of the owners of the information and
the systems that use it.
Do you have
something
to say about
this article?
Visit the Journal pages
of the ISACA web site
( www.isaca.org/journal),
find the article, and
choose the Comments
tab to share your
thoughts.
THE INFORMATION SECURITY FUNCTION
What, then, goes into the cost of information
security? Essentially, costs are incurred for
personnel, hardware, software and services.
These categories figure into the budget of the
Information Security1 function. In addition to
the salary of dedicated security professionals,
generally the function’s budget (often subsumed
into that of IT) goes toward encryption, access
management, intrusion detection and prevention,
passwords, firewalls, and penetration testing, to
ALLOCATION OF RESPONSIBILITY
A portion of the issue of cost is definitional;
what in fact does information security consist
of? As is often the case, the best (or at least the
most widely accepted) answer is to be found in
ISO 27002.2 It divides information security into
11 clauses (often referred to conversationally
as domains) (see figure 1). Some of these are
primarily in the domain of Information Security,
but each may involve—even in primary roles—
other functions within an organization.
The distribution of responsibilities in figure 1
is based on a typical organization, whatever that
means. While any cell within this table may be
questioned, the totality of it is indisputable:
The Information Security function is a major
actor in effecting security but is not always
primary in every domain, and in some domains
is not involved at all. This is quite clearly stated
in ISO 27002: “Information security activities
should be coordinated by representatives from
different parts of the organization with relevant
roles and job functions.”3
