Subscribe to Entrepreneur for $5

Budgeting for Information Security

How much should you spend this year?

Opinions expressed by Entrepreneur contributors are their own.

Q: I've heard all about virus protection, managed services, security audits and the like, but I'm not sure how to budget for information security in the new year. Can you help?

A: While it is good that you are at least thinking about spending some money on information security, there is less of a canned response to this or a particular percentage of gross sales to spend here. For marketing, labor or cost of goods sold, there is usually a set recommended percentage of gross sales to spend or use as a budget. We haven't progressed to that point for IT/information security yet--the key word here is yet.

On the one hand, information security is like insurance. Many senior-level executives struggle with the fact that spending money in this area does not necessarily add direct value to a company's product or service. Neither does spending it on property insurance. Whether a business spends a dollar or a million dollars on a particular insurance policy doesn't matter to the consumer and the value he is looking for. True reliability of sourcing is guaranteed with insurance, but that is indirect value. The amount you should spend on an insurance policy depends on what you want to insure. If you are a small operation with few computers and limited usage of the Internet and e-mail, then your risk of loss is less, requiring less insurance. If your business is an e-business and you carry out transactions on the Internet supported by intensive e-mail communication, then insuring your information and making the networks secure are of paramount importance. Spending more on insurance makes sense in this higher-risk situation. As you can see, there is no set percentage in each of these cases, but there is a relative risk factor that can be evaluated to help guide what should be spent on information security.

On the other hand, many companies, both large and small, put the information security budget in with the overall IT budget. Historically, budget managers will look at IT infrastructure costs first, hardware second, software third and then, if there is enough money left, information security. This is like adding on a room addition to a house and if there's money left, insuring it against fire and damage. Without enough insurance, the risk of loss increases. Without enough information security, the risk of intrusions, viruses and security breeches goes way up. Therefore, evaluating an information security budget should be the first part evaluated if it is to be included in an overall IT budget.

The other thing related here is the manpower required to run an IT department and implement the budget components. Companies will budget for the IT manager, the hardware manager, the software manager and the related programmers and specialists. Again, historically speaking, the budget for the information security manager or programmer comes last, if there's money available. This is a common situation, which is why you see security for information systems outsourced to third parties. This outsourcing still has to be budgeted but is usually easier to budget for than a person or an increased headcount. Within this outsourcing budget can come money for an information security audit, a plan to make sure all systems remain secure and the ongoing monitoring to make sure that any new hackers, viruses or intruders are kept at bay. In the world of information security this is known as managed services. In the world of a company's information network, outsourced security services eventually add reliability and peace of mind to a company. This can eventually also add some indirect value to a company's products and services.

Michael Bruck is the founding partner of BAI Security, an 8-year-old information security consulting firm. Bruck leads his security team with a successful 16-year background in IT management and senior engineering positions. He is also the developer and author of best practices that are becoming standards in the information security consulting business. He can be reached via or by e-mail at .

The opinions expressed in this column are those of the author, not of All answers are intended to be general in nature, without regard to specific geographical areas or circumstances, and should only be relied upon after consulting an appropriate expert, such as an attorney or accountant.