As Jack wrote then, “Perhaps the most significant concern I have about budget benchmarking is that it implies there’s some universally accepted ‘appropriate amount’ of spend. Hogwash.”
Watch the conversation between Jack Jones and Phil Venables that keynoted the 2020 FAIR Conference: Factoring Risk in Decision Making: How Better Risk Measurement Enables Better Decision-Making (FAIR Institute membership required – join the Institute now).
Phil picks up the campaign with these cogent objections:
Phil concludes:
“Is spending 90% of your IT budget on security better or worse than spending 10%? I have no idea. You might be irresponsibly pouring money down the drain in the first case or being crazily frugal in the 2nd case. We don’t know without knowing the outcomes and risk profile.”
Factor Analysis of Information Risk (FAIR) exactly fills in for these shortcomings so organizations can know outcomes in terms of risk reduction and risk profiles in terms of risk tolerance through financial analysis of cyber risk.
As Jack wrote, “Our job is to help [executive budget deciders] make well-informed decisions regarding our piece of that puzzle by providing a clear, unbiased, and useful picture of their information-related risk and risk mitigation options. Until/unless we do that, then any argument regarding appropriate security spend isn’t terribly useful.”
Phil also wrote favorably about the FAIR model in his recent blog post Cyber Risk Quantification.