SMotW #11: Security budget

Security Metric of the Week #11: Security budget as a proportion of IT budget or turnover

Given how often this metric is mentioned, it was quite a surprise to find that it scores a measly 16% on the PRAGMATIC scale. Why is that?  What's so dreadful about this particular metric?

Our prime concern stems from the validity of comparing the 'security budget' with either the 'IT budget' or 'turnover' (the quotes are justified because those are somewhat ambiguous terms that would probably have to be clarified if we were actually going to use this metric).  First of all, comparing anything to the IT budget implies that we are talking about IT or technical security, whereas professional practice has expanded into the broader church of information security.  Information security is important for anyone using and relying on information.  It could be argued that it is even more important outside of the IT department, in the rest of the business, than within it.  Likewise, comparing the [information] security budget against the organization's turnover may be essentially meaningless as there are lots of factors determining each aspect independently of the other. 

<Cut to the chase>  Answer us this: what proportion should we be aiming for?  In other words, what's our target or ideal proportion?  If you can explain, rationally, how to determine that value, you are doing better than us!

The metric may have some value in enabling us to compare the security budgets over successive years, across a number of different organizations, or between several different operating units within one group structure, provided we compare them on an equal footing.  If, for example, a whole bunch of engineering companies belonging to a large conglomerate reported about 10% for this metric (making that the norm i.e. an implied target), apart from one company that stuck out with say 20% or 5%, management might be prompted to dig deeper to understand what makes that one so markedly different from the rest.  It's a fair bet that pressure would be brought to bear on the outlier to bring itself into line with the rest - such is the nature of metrics.  But would that necessarily be appropriate?  Who is to say that the majority are budgeting appropriately for security whereas the odd-man-out has got it wrong?  It is certainly conceivable that in fact it is taking the lead on security, or that there are perfectly valid and appropriate reasons that make it unique.  Perhaps the way it calculates its budgets is different, or maybe it is at a different state of security maturity.  It could be recovering from a major security incident or noncompliance, or its management may have a substantially different risk appetite than the others in the group.

The point is that the metric could be distinctly misleading if considered in isolation.  Management might even be accused of being negligent if they were to act on it without a lot more information about the security and business situations that underpin it, in which case would we be any worse off if we didn't bother with it at all?

P	R	A	G	M	A	T	I	C	Score
13	3	16	2	2	0	4	18	88	16%

Single-digit scores for five of the nine PRAGMATIC criteria banish this candidate metric to the realm of soothsayers and astrologers in respect of Acme Enterprises Inc anyway.  Perhaps in your specific organizational context, this metric makes more sense, provides true value and justifies its slot on the security management dashboard - if so, we'd love to hear from you.  Feel free to comment below.   What are we missing here?  How do you make this one work?