“People don’t always get what they deserve in this world.” ― Lemony Snicket, The Blank Book
In 1867, the US bought Alaska from Russia for US$7.2 million. Today, Alaska is valued at US$37 billion – all 1.5 million square kilometres, with oil production expected to generate $2.64 billion in state revenue for FY2019.
When it comes to protecting one of a company’s most priced assets – information, IT security departments incorrectly estimate its value. Research by the Ponemon Institute suggests that companies are not investing appropriately on the availability, protection and security of the most commercially valuable types of documents a business holds.
So when a breach occurs, leadership is often left holding the bag and having to explain to shareholders, regulators, business partners and customers what happened and why it happened.
According to Gartner many organizations simply do not know their security budget. This is partly because few cost accounting systems break out security as a separate line item, and many security-relevant processes are carried out by staff who are not devoted full-time to security, making it impossible to accurately account for security personnel. In most instances, the chief information security officer (CISO) does not have insight into security spending throughout the enterprise.
According to Ira Winkler, CEO of Secure Mentem, security programmes are often budgeted out of the chief information officer’s budget – monies set aside following agreement between the CEO and CFO. The CIO sets aside a portion of the annual IT budget to the chief information security officer (CISO).
“Security people get the budgets that they deserve not the budgets that they need. Security people will take what they are given, make purchases accordingly thinking ‘I’ll spend this [budget] here. I really want to do this, but I don’t have the budget. Maybe next year I’ll ask for more.’ The problem is they’re not approaching it from a business perspective like everybody else would,” lamented Winkler.
In this exclusive interview with FutureCIO, Winkler candidly explains why CISOs and CIOs should take the blame for any failure on the part of the company to protect the information under its care.
He recommends that CIOs and CISOs approach security like any other important part of the business – how much is needed and what is the return to be expected from this investment.
In this video, Winkler describes how CIOs and CISOs should consider “selling” the security story in ways the CEO and CFO will more likely understand and appreciate.
Watch the full video, your career may depend on it.
