Security threats like Conficker, along with the regulations and measures to combat them, are a nightmarish waste of resources, says Peter Judge
It’s a shocking thought, in times when efficiency means life or death, but five to ten percent of your IT budget may be producing no direct benefits at all.
I can’t say this is wasted money, because I’m talking about your security budget. We know that’s essential spending, because without it, your business could be over very quickly. There’s another “essential” but not directly productive part of your budget too – and that’s the one that goes towards making sure you meet various regulations.
Security and regulations don’t produce benefits, they just prevent mishaps. It’s worth asking: how much of your IT resources only exist to protect against attacks by malware and hackers – and less dramatically, to maintain a clean bill of health with the red tape merchants? And how much of the environmental footprint of your IT is being expended just to stand still in ongoing wars of security and regulations?
There’s been a rule of thumb that around five percent of a small business’s IT budget should go on security measures. For larger organisations, the percentage goes up – and for the US Department of Defense, it seems to be far higher. The department reported it had spent $4 billion ($13 percent of its $33 million 2009 IT budget) on security – but there is apparently another million dollars hidden in other IT programmes.
Figures for the percentage of your budget that goes on meeting Sarbanes-Oxley or other regulations are even harder to dig out, but they are significant.
One thing seems fairly sure – whatever percentage you spend on security, it’s not likely to go down this year. IT budgets may be flat, but the attacks continue. And there are moves to build IT out into more parts of the enterprise, which could vastly increase the attack surface available to hackers.
This is likely to drive a more service-led security model according to IBM’s Marc Van Zadelhoff. This might enable businesses to keep up, without having to increase their expenditure so fast, he argues.
And regulations aren’t going to go away. There was a burst of them after the Enron scandal, supposedly to prevent further damage from corporate greed. The current banking crisis perhaps shows just how little use those regulations have been, but it will no doubt inspire a new set, along with new demands on IT.
Both these forces add up to more demands for IT to meet, and more resources expended, with consequences for the IT budget – and the environment. Hackers and regulators alike have a lot to answer for.