A cost-effective electronic security budget has to be based on overall business objectives rather than on point solutions such as firewalls, dial-back modems, a public key infrastructure or a single sign-on.
Speaking at a conference on e-security last month, Jasen Chong, who leads the financial services practice at Syntegra Singapore Pte. Ltd., said individual business unit solutions can be counter-productive to the overall enterprise security environment. "Multiple solutions require costly integration time, draining IT resources. There is also a lot of effort involved in the administration and management of different products," he pointed out.
To get management buy-in for e-security investments, an organization has to understand the value of its information assets.
"It has to understand what risk is important to them, recognize the importance of having an effective and current security policy, and improve processes to ensure a security-conscious and educated work force. E-security is an ongoing process that requires senior management support, employee buy-in and regular health checks," he said.
Chong admitted that returns on e-security investments are often difficult to demonstrate. "Protection may cost a lot, and may not directly contribute to profit."
As a result, many businesses tend to give priority to other investments.
"E-security is often an afterthought. As a result, the measures taken are not comprehensive because they come after the applications have been put in place."
Chong recommended a 10-15-15-40-20 split for the e-security budget, with the lion's share of 40 percent going to raising user awareness and education.
"The most dangerous vulnerability is in the human arena. Users need to modify their behaviour and attitudes, they need security awareness training. There also has to be skills upgrading for IT professionals," he said.
The other key areas that have to be budgeted for are:
-- risk assessment (10 percent): businesses have to look at what assets need to be protected, and at the exposure or cost of potential damage.
-- policy (15 percent): senior management has to define and determine the overall approach to security, and communicate the strategy throughout the organization. "It has to look at what level of security is necessary and what is feasible," said Chong.
-- processes (15 percent): "Technology will not protect you if the processes are not in place," Chong added. He cited the need to maintain and update virus definitions and security patches, and to put in place procedures to handle employees who leave the company.
-- technology (20 percent): these include things like access control and a sound security infrastructure.