Articles and News

November 23, 2015

Does your Information security Plan budget Match the risk?

According to PwC’s Global State of Information Security Survey 2015, the reported number of security incidents in 2014 rose 48% to 42.8 million. At the same time, it showed global cyber security budgets fell by 4% compared to 2014.

Security planning involves developing security policies and implementing controls to prevent computer risks from becoming reality.

A good way to determine how much you need to spend on security is to think about security management as a business process. As with any business process, it includes the following phases:

  1. Planning
  2. Implementation
  3. Execution
  4. Measurement and feedback



In an online article  Rob Cotton, head of security consultancy NCC group, says cyber security costs have become entwined with many areas of business.

     When setting an information security budget in the workplace consider these key areas:

  • Risk analysis. External security audits should first review your security policies to make sure they are consistent with your requirements and legal responsibilities. This step is, unfortunately, often skipped by auditors.

    The second aspect is to ensure, by testing and inspecting, whether your current processes, procedures and security configuration accurately reflect your security policies.

  • Insider Threat Reduction.  According to research conducted by Ponemon showed that most companies expect the risk of privileged user abuse to continue or get worse. It also showed that 51% allocate between 5 and 8% of their overall IT budget to insider threat technology. But it’s also clear that workplace policies such as an anonymous tip line, locked consoles for discarded documents, and a shred-all policy (so that all documents are securely destroyed) protect confidential information from insider fraudsters too.

  • Partnerships. Third party partnerships must also enforce security and privacy. For example, a document destruction partner should provide a secure chain of custody and have NAID certification from the time paper is collected in locked containers in the workplace, to the time it is removed and securely shredded.

  • Technology. There’s no question that intrusion prevention and detection tools, privileged user access, vulnerability scanning, and other data loss software are important. In a recent Ponemon study, 67% of respondents said their organizations made sure that based on IT risk assessment, IT has the budget necessary to defend against attacks.

Taking a business process approach to analysing the allocation of your security budget ensures that you are spending those dollars on the most important security projects, AND it helps you deliver the most efficient and effective security for your company’s digital assets.




Rock Solid Shredding provides customized paper and hard drive shredding services that assist businesses with complying with legislation while protecting information.

Contact them at 501.940.9900 or fill out the Contact Form.

Follow Rock Solid on Twitter. Like them on Facebook.