Free Articles, Free Web Content, Reprint Articles
Tuesday, January 21, 2020
Free Articles, Free Web Content, Reprint ArticlesRegisterAll CategoriesTop AuthorsSubmit Article (Article Submission)ContactSubscribe Free Articles, Free Web Content, Reprint Articles

IT Security Measurement - how well are my IT security dollars being spent ?

IT security budgets tend to represent single digit percentages of the total IT budget, but with security becoming a greater issue than ever before, how do I know that my security dollars are delivering a return ?

A stark simple reason for a relatively low budgetary priority for IT security is the simple fact that the vast portion of an IT budget has to be committed to maintaining infrastructure and users followed by development of these same systems to meet ever increasing business demands.  IT security has always fallen a long way down the totem of priorities however the requirement to safeguard IT resources from external and internal threats has caused a shift in approach in recent years.  The issue becomes how do businesses know what actually generates the best return for the dollar spend on security?

Given the abstract nature of IT security, performance can only be reasonably measured in a relative fashion by assessing trends and benchmark standards against industry peers.  It is only once a track record of metrics has been established that a business can look internally at how well it is spending IT security budgets and what the loss expectancy is from threats to security of the IT infrastructure.   To attempt to implement IT security metrics without proper control over the process and identification of the KPI's that will comprise the balanced scorecard will only contribute to the plethora of data being collected, but do little for contributing to the business itself.  The highly technical nature of the IT function and the even more elaborate area of IT security does not lend itself easily to being understood by non-technical managers while IT management themselves have often failed to embrace the need for a business case for allocating a budget.

It will be essential that an IT security expert is involved in the development of the balanced scorecard and identification of the KPI's that will comprise it together with relative weightings. It is equally essential that part of the team identifying and defining metrics is able to understand the business implications of a security incident to the business in terms of opportunity cost.  Unlike a sale that has a definite value, how do you define an IT security incident for the purpose of IT security metrics?  More than that, how do you ascribe a dollar cost to such an event occurring ?  Issues will also arise given the fluid nature of the range of emerging threats as wireless and mobile device technology increases, in short your metrics will alter regularly thus making year on year comparisons problematical as like will not be compared with like.

Generally it is advisable to keep the KPI's and balanced scorecard metrics as simple as possible and avoid using too many in order to maintain clarity.  Business managers want to be able to focus on the key areas that require their management timeFree Reprint Articles, while IT advisors will need to be able to demonstrate a justifiable business case for budgets to enhance IT security based upon operational business need rather than technical artistry.  Establishing metrics that technical and non-technical managers agree upon and understand is an excellent starting point from which to assess IT security performance.

Source: Free Articles from


If you are interested in it security scorecard, check Sam Miller new web-site.

Home Repair
Home Business
Self Help

Page loaded in 0.071 seconds