The Bavarian IT Security Cluster is a marketing and networking alliance consisting of stakeholders from various companies, universities and institutions. It earned a reputation with its own developments such as the ISMS information security management system, and with popular events such as “IT Security on the Banks of the Danube”, which has been held for 14 years now in various towns along the Danube River.
The Cluster is headed by Sandra Wiesbeck, who has been working on IT security topics there for 12 years. She has a sound background in IT, having opted to specialise in business information technology during her business management degree. So she was ideally suited to transform statutory requirements into software specifications for developers, something which she did successfully for a software company for many years. Today she runs the successful security cluster, which now has a total of 130 member companies and institutions. In this interview she answers questions about budgeting for IT security.
Ms Wiesbeck, one question that often comes up in management boards is about what sums are necessary to protect a company. Is it possible to specify a certain percentage of revenue that should be spent on IT security?
Unfortunately there is no rule of thumb that determines the necessary investment volume, because the requirements in companies and industry sectors are too different. Companies that are part of critical infrastructure, for example, need to meet special conditions. This is quite a complicated process and therefore costly. But what is clear is that the greater degree of digitalisation in a company the more it need to spend on IT security.
The determining factor is the type of data to be protected; patient data need more security than data from a skilled trade enterprise. In this context, an evaluation of existing information is necessary to identify the company’s “crown jewels”. These are data that are business-critical and must not be lost, e.g. research results. The information to be protected should always be the basis for calculating the necessary budget. The company needs to be aware that even information can have a monetary value. Sometimes this monetary value is indirect only, for example where certain data are not valuable in themselves but their loss could incur a fine due to statutory provisions.
What statutory requirements need to be met in respect of IT security?
There are various statutory requirements. Penalties may apply in accordance with the GDPR, if for example a company fails to comply with the statutory provisions for protecting customer or personal data. The German IT Security Act also provides for sanctions, for example in relation to the obligation to report security incidents. Municipalities are also subject to the E-Government Act. Moreover, there are sometimes industry-specific regulations to be observed; in the case of banks these would be SOX Compliance or Basel II. And manufacturers of medical devices also need to take account of specific IT security provisions.
Are there industry-specific differences in budgets for IT security?
There are discernible differences, at least in line with the average spend in the respective sectors. And that is easily explained. There are sectors in which sensitive data occur or are processed due to the very nature of the business. The biotechnology sector, for example, often produces critical development or research data that need to be protected from theft. And interdependencies may result from the demands of a supply chain: In the automobile industry, automotive suppliers need to meet the security requirements of the car manufacturers. The automotive industry has developed its own standard, TISAX, for this purpose.
In respect of budget criteria are there differences between large and small companies?
I don’t see any obvious differences of the kind that exist between different sectors. Regardless of its size, a company needs to identify its most important business processes and the necessary data for them. The questions of cost then follow. Naturally, larger companies generally have a higher degree of digitalisation and critical departments like R&D. Statutory requirements also tend to be aligned to the size of a company. Nevertheless, due to requirements imposed by larger customers a small company can be under considerable pressure to invest a lot in IT security, as mentioned above in the case of automotive suppliers. This may be due to the fact that data is shared with it or as a result of risk assessments demanded by the customer. Even at the offer submission stage, security requirements are one of the assessment criteria for sub-suppliers. For example, a provider of engineering services can be involved in a development project and will then have to meet the security standard for the data provided by the customer. If not they might lose the order or risk contractual penalties.
How are investment sums allocated to security areas and products?
The German Federal Office for Information Security (BSI) subdivides its IT security baseline protection system into various modules like virus protection or intrusion detection. The modules and priorities specified by this system can be used as a guide. I recommend that you first of all consider what is the most important for your own company. Sometimes companies invest too much in new hardware without knowing beforehand exactly what they really need. And in the process, they often forget to factor in personnel costs. After all, you need specialists to look after IT security. First of all, it is absolutely essential to produce a security concept. And if necessary get outside help to do this. Afterwards, a process of consolidation may be advisable, because many companies have a lot of different systems installed. If you standardise these you may be able to work with just one security solution instead of possibly needing several. Another factor to be taken into account when planning your budget is staff training.
The ongoing costs for administration and maintenance are also likely to be a major item; how are these calculated?
A practical way of doing this could be to use time units, because the continuity of processes and administration of software and hardware generally involve personnel costs only. In this context, it is helpful to talk to your specialists from internal production areas, as they know the company better than external consultants. It becomes more difficult if jobs first need to be created for security experts, In this case I recommend starting off with an external information security officer (ISO) to then gradually estimate the amount of work involved for an internal position. As it is currently proving difficult to find skilled specialists, you could work with the information security officer to compile a job advertisement or develop a training plan.
Due to lack of personnel, some companies purchase relevant services that are supposed to cover the entire range of requirements in the form of “security as a service” (SECaaS). What determines whether SECaaS is worth it?
In this case it is not just the monetary aspects that matter but also security evaluations. SECaaS generally needs an internet connection to work, so there are direct risks from being connected to the web. Of course I could operate an on-premise installation only without internet connection and increase security in this way. Another crucial point is whether corresponding equipment is already available in-house. If I already operate my own data centre, for example, there may still be questions of scaling but I don’t need the initial investment. However, if up till now all I have, for example, is one NAS server in the photocopying room then it will generally not make sense to establish a dedicated server room. In this case a SECaaS model is faster, more secure and cheaper. However, when opting for security as a service you need to retain an overview of the overall security concept.
What other aspects need to be considered when planning your budget?
It is very important for IT security to be managed from the very top. This is the only way to ensure acceptance in the entire company. IT security affects all departments, so it has to be organised centrally. If each department buys its own solution you will never get a sensible overall concept and IT security will not get the attention it deserves. In addition, the necessary budgets can only be established by the highest echelons. IT security does not affect the core business, which is why it is often hard to get the necessary budget for it. If you are planning to organise training this has to be done throughout the entire company and budgeted for accordingly. Again, this will only happen at the appropriate levels in the hierarchy.
You will also find news about all aspects of it-sa and the IT security environment in the it-sa Security Newsletter.