Justifying Security Spend

Given that  this often relates to proving a negative, justifying security spend can be extremely challenging.  Before we continue, I’ll freely admit I don’t have all the answers here, but wanted to share some of the things I’ve been thinking about and discussing recently about just how hard this is, and possible ways to help.

We weren’t hacked therefore we spent enough..  Did we spend too much?  Could we spend less and still ‘not be hacked’?

We suffered a data leak, did we not spend enough?  Did we spend on the wrong things?


One example I am using to demonstrate how hard it could be to justify seemingly obvious security spend is around DDoS.

Take the following scenario;

Your organisation has suffered some DDoS incidents, these were volumetric attacks and the board urgently wants protection from these types of attacks in place.  You duly implement a premium cloud service, and provide them with an overview of the service and how it protects against volumetric attacks.  Over the next few months the service proves it’s worth and protects the business from any further attacks.

The next year, gaining approval for spend on this service is easy, everyone knows what it does and that it is needed.

Over time volumetric attacks against your business cease to occur, and a couple of years later the board are challenging the need for a large spend on protection from these attacks.

However the question clearly is; did the attacks cease because you are no longer a target of this type of attack, or because it is common knowledge you have very effective protection so there is no point in launching these attacks against you?


From this example you can see that justifying spend on something as seemingly obvious as DDoS protection could be challenging as how do you go about proving why the malicious actors have not done something?


Taking another example I read in the most recent issue of the ISACA magazine;

Before the Best Buy breach, what were the chances that they would be a target and suffer a breach?  After the Best Buy breach, what are the odds they will be breached again?


We have models for things we think we can predict from sporting events to the weather that have varying degrees of accuracy.  However the various malicious actors that could be targeting your organisation do not act in ways we can easily predict and quantify.

So given this how do we clearly state to the wider business the actual likelihood of an event, and the impact?

I’ll leave the impact discussion for now, but while it many seem more obvious, consider the wide range of impacts and how hard they can be to accurately quantify.  It is relatively easy to state how much you loose for a given amount of downtime, but how long does reputational damage last? How many sales are lost over the next year with downtime or a breach being factors in the customers decision? etc.


Some key things to help this situation include;

  • Moving the security discussion from IT to the ‘business’, all security risks are actually business risks, or translate directly to business risks.
  • Running scenario based exercises with the board to understand their risk appetite and educate them around what can happen and the impacts it would cause.
  • Gathering industry information on the prevalence of attacks and breaches against what are considered ‘peer’ organisations to understand the threat landscape you are operating in.

What are your thoughts?

How are you ensuring the  executive board and the wider business understand the need for the security spend and how you are managing risk?