There are simply too many dependencies on people, processes and technology and simply put, a limited understanding of the interrelation and interdependencies between security management and technologies within Business and IT. Today security is more skill that science. Security metrics and the collection of metrics are not robust enough or are too costly to collect to provide data for investment justification.

To achieve a better alignment between business and security investment, it is important to understand the constituents of a holistic security ecosystem. Security is built in a layered approach. Greater the number of layers, more secure the organization.

This is akin to the multilayer fortification built around forts in yesteryears. Greater and higher the number of walls, more difficult it is to penetrate. In simplistic sense, a holistic security ecosystem can be visualized as comprising of several layers in the following sequence from core to periphery – data, system, applications and network.

Security at each layer is a combination of people, processes, technology and executive commitment. The prime objective is to ensure that business data is kept confidential, available and has integrity, thereby ensuring the prosperity and continuity of business operations.

The right approach to deciding upon an investment into security is to adopt a qualitative and participitative style of decision making rather than seeking ROI metrics. Executive management should focus on three basic questions; what data we are protecting, what is its value to business and how do we protect it across all layers. 

Executive decision making should flow from the core outwards thereby emphasis the value of protecting information vital to business, an area which executive management is closest too and to demonstrating senior management commitment to security. There is a need for executive management to work closely with the security team to ensure that the business requirements can be appropriately translated into a defense in depth security requirement and a sincere attempt made to bridge the gap by better understanding what security means to business, rather than expect the security champions to figure it out.

During the decision making process, it is also advisable to review the appropriateness of the investment in each layer of the ecosystem relative to risk. This would reduce the risk of vendor hype and enhance focus on those elements, which provide greater value for defense in depth approach to security. For example a security awareness programme for senior management focussed on data security may be more useful than an organization wide poster campaign

In the longer term, once the security ecosystem has uniformly matured across all layers it would be possible to create a set of security metrics and dashboards to measure the benefit of security and the level of OPEX and CAPEX. For the next three years, it would be difficult to quantify, measure and appropriately budget security investments.

The author is director of security consulting at Tech Mahindra Ltd.