Influential security blogger, three-time CISO and current Goldman Sachs Bank board member Phil Venables is out with a new blog post, Why Cybersecurity Budget Benchmarks Are a Waste of Time – a theme that FAIR™ model creator Jack Jones has campaigned on for years: See his 2015 blog post Comparing Security Budgets.
As Jack wrote then, “Perhaps the most significant concern I have about budget benchmarking is that it implies there’s some universally accepted ‘appropriate amount’ of spend. Hogwash.”
Watch the conversation between Jack Jones and Phil Venables that keynoted the 2020 FAIR Conference: Factoring Risk in Decision Making: How Better Risk Measurement Enables Better Decision-Making (FAIR Institute membership required – join the Institute now).
Phil picks up the campaign with these cogent objections:
- “ A budget is an input not an outcome. Security risk management needs to be centered on outcomes.
- “There is no agreed upon taxonomy of comparison. You’re never comparing apples to apples [from one organization to the next].
- “Incentives are misaligned. Budget comparisons aim to set minimum standards, ‘spend at least X, but often good security programs become more efficient and spend less per unit of control.”
“Is spending 90% of your IT budget on security better or worse than spending 10%? I have no idea. You might be irresponsibly pouring money down the drain in the first case or being crazily frugal in the 2nd case. We don’t know without knowing the outcomes and risk profile.”
Factor Analysis of Information Risk (FAIR) exactly fills in for these shortcomings so organizations can know outcomes in terms of risk reduction and risk profiles in terms of risk tolerance through financial analysis of cyber risk.
As Jack wrote, “Our job is to help [executive budget deciders] make well-informed decisions regarding our piece of that puzzle by providing a clear, unbiased, and useful picture of their information-related risk and risk mitigation options. Until/unless we do that, then any argument regarding appropriate security spend isn’t terribly useful.”
Phil also wrote favorably about the FAIR model in his recent blog post Cyber Risk Quantification.