An Alternative Model of Information Security Investment

Introduction

The global spending on IT may only be considered as leviathan – $1.5 trillion in 2007 according to Forrester (Bartels, 2007), and is the driver for a very large segment of the global economy, especially in the western industrialized countries. At any individual firm, the $1.5 trillion figure typically translates to between 1% and 8% of revenues. Since any firm’s spending is a balancing act amongst multiple competing priorities, it becomes critical for CIOs and IT managers to justify every penny spent on IT.

As we mentioned earlier, the most common model appears to be the ITPM model which views IT spending as an investment just like any other that the firm makes. ITPM then creates metrics, processes and monitoring tools that ultimately measure Return on Investment (ROI) for each IT dollar spent (Symons, 2005).

The Forrester Research cited (Symons, 2005) also reveals that firms are most likely to optimize their IT spending around Business Value. In other words, the firms surveyed decided that the business value of IT spending outweighed other considerations like financial return, cost reductions and even efficiency (see Figure 1).

Figure 1.

IT portfolio optimization criteria (Symons, 2005)

This validates a key premise of our model, namely that IT Security Spending is integral to the firm’s value chain. We shall return to this notion of “Business Value” driven IT Security Spending later when we formulate our model.

ITPM however, is still in its infancy, and is fairly complicated to apply, monitor and measure in any given company. Additionally:

• •

  ITPM is ultimately based on financial theory of portfolio optimization. While it is plausible that the basic concepts of Modern Porfolio Theory (MPT) – see for example (Markowitz, 1952) - should apply to IT spending, the two problems are sufficiently different that substantial conceptual modifications to MPT are in order before it can make sense to the IT Line Manager. At the very least, it is not clear that MPT is the best approach to model IT Investment Portfolios. For example, the IT Investment portfolio is not as liquid as a stock portfolio, if at all.

• •

  ITPM is complicated and thus not easily accessible except to generally larger firms with a fair amount of resources devoted to IT process and operations modeling. This is evident from the Forrester study (Symons, 2005): of the mostly large firms surveyed, only 33% indicated that they had some form of an ITPM process. Combined with its immaturity as a practical model, we speculate that ITPM will not be accessible to a vast majority of firms as a practical tool to use when setting IT spending levels.

• •

  Even more ominous, the mentioned Forrester survey found that a vast majority of those firms with an ITPM process (82%) considered it to be an IT initiative. In other words, ITPM was not pervasive enough in the firm to be of any meaningful or lasting value beyond just another IT initiative.

Anecdotal evidence from our Identity and Access Management (IAM) consulting in a wide array of industries from financial services, pharmaceuticals and health care services industries also supports Forrester’s results: most firms we work with, small and large, don’t have any consistent way to model or allocate their IT spending. Rather, they tend to focus on broad goals or generalities, for example: