I’ll put on my manager/owner hat, since I have one laying about the house, and will look at the receiving side of my constant cries to emphasize security spending. There, it’s on, although it seems to restrict blood flow to the part of my brain that handles technological details… never mind, let’s get to budgeting!
First off, security is very important. It’s so important, I’ll use a few more “verys” to emphasize that importance. It’s very very very very very important. But, before I can pay for security, I have to pay for a few other things.
Out of my revenue, first to go through are my loan payments. If I don’t keep current on my business loans, I close my doors. That’s a certainty. Ditto for payroll, rent, and utilities. I have to pay those, on time, every month, or I *will* close my doors.
Next up, I have to pay for my materials that I use in my business, whether those materials be solid manufacturing inputs or intangible information, it’s what I use to make my stuff. Without those inputs, my business is no more.
Then there’s advertising. I have to have that, right? I also need money for fees, which I pay to local, regional, and national government authorities in order to stay in business. If I don’t pay those, my business will certainly not be able to operate.
Now, I’ve got some money left over. Part of me wants to have a little more for myself, to compensate for all those days I lived out of my office, getting this business off the ground. That’s why I went into business, right, to make a little something for myself, over and above what The Man would pay me in a regular gig? I’ve got a business partner, as well, and we’ve been through everything together, all these years. I’ve got to give him his cut, fair’s fair.
What’s left is my IT budget. Before anyone panics, let me assure you that there’s still quite a lot of money in that pot.
But, before I pay for any security, I need to pay for my existing licenses. If my PCs don’t have an operating system, they don’t run, and I don’t have a business anymore. Then I pay for my productivity software because what’s the point of having PCs if they don’t do anything useful? No, I must have word processors, spreadsheets, and email! No compromise on that!
If I have specialized software for my line of business, you better believe there are some big-time license fees to run that stuff. But, without it, I can’t produce what my customers want. Honestly, security is important to me, you saw how many “verys” I used up there, but I have to first allocate money for what’s core to my business.
But I’m almost to security in my line-items. Let me first cover printing costs, VoIP services, Internet connections, and a new box fan for my server closet. As long as we keep the fans on and the door open, the servers won’t overheat. That’s a good feeling to have, the feeling you get when you know the servers won’t overheat.
Now that I’m ready to buy some security, please don’t bring up the issue of locks on the doors. I can lock the outside doors, but if I lock the door to the server closet, we’re finished as a going concern.
Looking at the budget, there’s not a lot, so maybe I should get the most important piece of security gear and hope it does most of the work I need it to do. I’ll get a firewall and pay for that annual license/maintenance.
Then there’s an antivirus program that’s only $21.95 per workstation when I buy in bulk, I’ll get that. I don’t know if it’s any good, but it’s at least something.
I need to buy a backup and recovery solution, so that’s going to set me back a bit.
I also have to pay for spam filtering and DDoS protection through my ISP, or I get shut down by spammers and/or DDoSers. This expenditure, in fact, should have come before the backup and recovery.
When I ask the guy that comes in twice a week after lunch to do my IT about what else I should get, he’s got a long list of cool stuff. But when I look at the prices he quotes for them, I have to shake my head. I really can’t afford to spend thousands on a big piece of hardware like a proxy server or an IPS. Maybe if I saved up, I could, but I can’t spend that kind of money right now. And don’t even talk to me about IP protection or UEBA or other big systems like that, there’s no way I can buy one of those solutions.
The thing is, security is a matter of maybe I’ll lose my business if I don’t have it. The other things are a matter of I *WILL* lose my business if I don’t have them. Will beats maybe, every time. That good feeling I have about the servers not overheating is countered by the worry I have that one day, maybe tomorrow, I’m the next small business that gets hit with something that the firewall, antivirus, and/or antispam-antiDDoS can’t deal with. But that’s a maybe, a roll of the dice.
Eventually, I learn to live with “maybe” and I just focus on running my business, the best I can.
And if all my PCs, unbeknownst to me, are secretly mining bitcoins for North Korea or participating in Mafia-run botnets, it’s no concern to me as long as I keep in business. What I don’t know doesn’t impact my bottom line.
I’m not being callow or flippant about wanting to emphasize security but simply not having the budget for it. That’s a reality. And if I get to where the “maybe” doesn’t nag at me anymore, then I can live with myself and my decisions.
I just took off my manager/owner hat and read that over. It does make sense to me. As a security person, I see all the breaches and crashes and outbreaks. But I don’t see that, for most people, these are only rumors, things that happen to someone else. Daily bashing away at firewalls, constant spam and DDoS, legacy malware trying to infect your PC like it’s 1999, those are the constants that happen to everyone. Businesses must protect against them. The other stuff, though, that’s in the realm of “maybe” and that’s not a strong enough case to justify a major expenditure, particularly one that could cut deep into the profitability of a firm.
This is a picture of the SM-70 anti-personnel mine, devised by East Germany to kill people scaling border fences to escape to the West. Its purpose was not to reduce the number of escape attempts, but to reduce the number of successful attempts. Over time, it did reduce the number of successful escape attempts, but it did not bring the total number of attempts to zero, nor did it bring the number of successful attempts to zero.
I take the title for this from the Yes, Minister episode in which the bureaucrat, Sir Humphrey Appleby, saves the political 
Fig. 1: System-wide outage
Fig. 2: Vendor making an exit from firm after system-wide outage
Fig. 3: Undesired result after a lofty promise
Fig. 4: Another botched implementation of a security product…