Photo Credit: PetroleumJelliffe via Compfight cc
Not too long ago, I came across a report stating that the U.S. Federal Government was planning to spend 7 billion dollars on information security. Wow!
Just imagine the politicians and budget approvers looking at this number and saying – far too much – cut this by 20% (or any other number). A natural reaction when you consider such an amount is something like 5,000 to 10,000 times an annual salary.
There is a quote of uncertain attribution about a person whose favourite sport was jumping to conclusions and this is a good illustration of how our brain uses its intuitive reaction without further analysis.
In this short note, I would like you to consider numbers from dependable sources to put information security expenditures in a different context, basically using small numbers:
Number selection No. 1
There are many sources, including your own place of work, where, on average (please be careful with averages and all statistical data), I.T. expenditures are in the order of 4% of an organisation’s operational expenditures and that information security represents 4% of I.T. expenditures.
To visualize this, imagine a cake and cut it in 25 slices of the same size. One of these wedges represents the I.T. budget. Now take this slice and slice it again in 25 ever so thin slices: this is your budget for information security. If it was a real cake, it would leave you hungry.
Number selection No. 2
Gartner – the well established industry observer and advisory service – publishes annual reports on I.T. expenditure. Earlier in 2014, this included “Don’t be the next target”, a review of expenditures on information security in various sectors in 2013. One figure in particular was striking: it shows expenditure by sector and by employee – the highest spenders were insurance, utilities and banking and the numbers range between $684 and $552.
If you accept that there are 220 working days in a year, the expenditure per employee per day is in the range $3.10 and $2.50 (and these are the high spenders). Roughly the price of a cup of coffee. But now it gets interesting: taking – just for size – the total cost of employing someone (salary, pensions, insurance, accommodation, employers’ taxes and so on) at say, 100,000 a year, you can deduce that this works out as an employee cost of $1 a minute.
If your employee(s) include smokers who are forced to go outside the building to indulge their need for nicotine and that going outside, smoking, chatting with colleagues and returning to the desk takes ten minutes per cigarette, this has cost the employer $10. Multiply this by the number of cigarettes a person needs during the working day and it becomes a much larger number than security expenditure.
Number selection No. 3
The pressure on organisations to cut expenditures has been around for a long time and appears to be growing, justified by euphemisms such as “shareholder value” and “doing more with less”. This is fine in principle but it is in contrast with what happens in real life. In one of my previous places of work we referred to this as SMRC (Saving Money Regardless of Cost) and then it was nothing new: in the late 1960s, astronaut Alan Shepard said that “It’s a very sobering feeling to be up in space and realize that one’s safety factor was determined by the lowest bidder on a government contract.”
Those of you who have worked in software development know that the cost of detecting and correcting an error at the earliest stages of development is modest, while the cost of doing so in production is considerable greater, i.e. prevention is better than cure.
If in doubt, look at what happened to Societé Générale (as well as UBS London and Barings Bank), the story of the wiring of the Airbus 380, the various car recalls by Toyota and GM and so many more. Why can’t we help our decision makers become more aware that SMRC is not always a winning strategy?
Security can be a real bargain, especially if done early and well. You just need to use the right figures to the get the point across.