Today in Finance for June 23, 2004

Words Fail Them

Security professionals struggle to put some hard numbers on a line item that defies easy analysis.

CFO Staff
CFO IT

June 23, 2004

Even though computer security remains a rare growth area within IT budgets, the purse strings are tightening. And, according to Yankee Group, security budgets are becoming more influenced by lines of business, rather than being solely determined by IT departments.

Consulting firm Meta Group goes a step further, arguing that today's hodgepodge of security expenditures (antivirus software here, firewall protection there, data-privacy efforts somewhere else) will ultimately be consolidated into strategic programs with dedicated budgets. But for that to happen, security professionals need to articulate the business case for higher security spending better than they have to date.

Quantifying the benefits of a disaster that never happens is a tall order, so putting a dollar value on security spending may be impossible. But Meta Group analyst Tom Scholtz proposes a "4i" model as a way to frame security-budget discussions.

In his view, the i's that have it (the power of persuasion, that is) are investment, integrity, insurance, and indemnity. Investment would stress everything from brand enhancement (or, more to the point, tarnishing) and competitive differentiation to agility and adaptability. Integrity would stress continuous availability and accurate information. Insurance would frame security spending in risk-management terms, while indemnity would stress new regulatory requirements and governance practices.

The aim is not to wrest as large a budget as possible from an executive audience, but to frame the issue in terms that business leaders are comfortable with. Scholtz also recommends that companies look at the cost of past virus attacks, fraud, hacker attacks, and other security lapses as one way to put some hard numbers on a line item that defies easy analysis.

Readers' Comments

Comment on this article...