The recent government shutdown got me thinking about budgets and information security. Having just submitted a proposal to a small business myself, I am asking the question: What is best practice for small or mid-sized business (SMB) information security?
Every SMB is going to have a limited budget. This budget has to cover control implementation and maintenance. There’s no point in minimizing risks if you will run out of money for maintenance at a later date. In this post, I want to address the costs of running the security program on an ongoing basis. Gartner came up with Total Cost of Ownership (TCO) back in the 1980’s but hasn’t applied it to information security. I am claiming that the cost of maintaining your security program is often overlooked and is critical for a SMB, where budgets are limited.
There are several good references for SMB security. NIST has developed NISTIR 7621: “Small Business Information Security: The Fundamentals”. This document recommends taking an inventory of information assets and then using the NIST Cyber Security Framework to protect them. But there is no discussion of managing security within a limited budget. Another good reference is from Australia: “Cybersecurity: The Small Business Best Practice Guide”. This starts with getting buy in from everyone in the organization and providing training. The next recommendations include analyzing vulnerabilities, evaluating assets and prioritizing remediation. Again, no discussion of budget issues.
I believe more focus should be placed on the cost of maintaining security controls that are put into place. For the largest organizations, this might not a problem since resources can be made available. For a smaller organization with limited resources, it is better to implement a smaller number of quality security controls, than a larger suite of controls where some are not supported properly.
As a hypothetical, let’s say the organization has $50,000 to spend on security. Assume each control will cost $5,000 for initial cost in year one. This could include hardware, software, training, consulting, etc. Therefore the budget will support 10 controls in year one. If the maintenance cost is $5,000 ongoing, then no new controls can be implemented in year two. The critical point is to allocate sufficient funds to maintain all controls in following years. Year two and beyond funds cannot just be put into more new controls or technologies. If this happens, the control effectiveness will drop off and potentially permit breaches. This effect is confirmed in the Verizon DBIR which states that almost half of PCI compliant firms are out of compliance in mid-year assessment.
What are the likely maintenance costs of a control? First would be the usual software maintenance charged by the vendor. But a security control is not a stand-alone entity. It must be seen as part of a security system, or its effectiveness is reduced. There will be costs of training staff to make use of the control. Why? Threats are constantly changing. People are changing jobs or roles. There will be costs of developing processes around the control. Why? The other controls or processes communicating with the control are constantly changing. In today’s world, security technology itself is constantly changing, hopefully improving. Therefore, the life of a control implementation will be shorter than other enterprise applications. This depreciation expense should also be included in the security budget.
For a small business, it is important to estimate the annual cost of maintaining each security control. That costs should be added to the initial cost of implementing the control. The total should then guide, along with the risk analysis, the roadmap for control implementation. The worst choice is to implement too many controls and then not allocate sufficient resources to maintain them. This may give a false sense of compliance, but will not provide security.
Contact us today to learn how we can assist you in any aspect of your IT security program.