First, assume that you believe, as discussed in Gordon & Loeb’s book Managing Cybersecurity Resources: A Cost-Benefit Analysis and discussed here that an organization should spend no more than 37% of their expected loss on information security. Second, assume that you agree with the Ponemon Institute on the cost of business data breaches: $182 per record. Then, as I have pointed out, you have enough info to figure out what your info sec budget should be, or at least it’s cap.
A few thoughts:
- Crap that’s a nice observation. I wish I’d made it.
- If you read the full version at “Incentive Plan for an Information Security Team,” then a lot of that paragraph becomes referenced.
- You can’t dump the entirety of the funds into the pool–some of it needs to be spent on defensive technologies, processes and people, but you’re certainly aligning the interests of the infosec team and the business.
- Finally, we have to wonder if a manager could fire their entire team, and live comfortably in Anguilla on bonuses paid until it backfires. (Nick does address this with smoothing.)
PS: The title? Not a typo-Nick runs WikID Systems.