I’m not talking about how tough the threats are or how difficult the challenge is in managing complex security environments. I’m talking about how security spending gets justified.

Over the past few months I have seen a number of market studies come across my desk that all reaffirm something we have been seeing for several years. Namely, that the top driver used by security executives to justify security investment is regulatory compliance. With the growing burden of regulation, this shouldn’t come as any surprise to CSO’s readers. But it also shouldn’t be surprising when I point out that this is far from the best way to justify investment, and that’s where I feel compelled to take some of our readers to task.

The best way to justify investment is by undertaking a comprehensive risk assessment in your organization and then designing an appropriate program to mitigate risk based upon that assessment. This ensures that an appropriate level of investment is being allocated toward risk mitigation based on the needs and constraints of the business. What is happening—overwhelmingly, I might add—is that CSOs are running off to the CFO and the board with investment requirements designed to meet the compliance standards of SOX, or PCI, or GLB, and so on. The problem here is that regulations are based on a standardized requirement of security across one industry, or many. What one company may do to be compliant with SOX may be entirely off base with what is truly needed in the organization to mitigate the specific risks this specific organization faces.

Don’t get me wrong, I have been hearing loud and clear how difficult it can be to justify investment. In fact, in many of the same studies I referred to earlier, we’re finding that the number-one method used by CSOs to determine if their organization’s security initiatives are effective is professional judgment. Not metrics. Not third-party evaluations. Not ROI. Your own professional judgment. And while I agree that there is no substitute for experience, I fear that those who justify their investments by relying on regulatory compliance and then measure effectiveness via their own professional judgment are setting themselves up for a fall. Remember the days when security was sold by using fear, uncertainty and doubt (FUD)? It was very effective at the time, but as bad things didn’t happen it raised the question, “Did nothing bad happen because we had great security or because nothing bad was going to happen in the first place?” Many CSOs lost a lot of credibility in that exercise. When you justify investment based on compliance and then measure effectiveness with professional judgment, what happens to your credibility if something goes wrong? Remember that professional judgment translates quickly into credibility. You are the experts at what you do. Just make sure that you your actions are backed up with concrete reasons.

–Bob Bragdon bbragdon@cxo.com