This year, we can expect presidential campaign promotion to slowly kick into gear. Early next year, advertising will pick up, and by summer there will be so much media hype that we will be colossally sick of it long before the actual November 8 election. Then, in 2017, all will be silent. Why? Because, for obvious reasons, spending on presidential campaigns runs on a four-year cycle. Information security and disaster recovery budgets run on cycles too, but IT professional may be surprised at how budget cuts and other factors drive them.
Whereas the monthly budget for presidential campaigns builds up exponentially until the event itself and then declines afterward, information security and disaster recovery budgets peak after major events such as the recent Sony hack and ISIS-sympathizers hacking U.S. military social media accounts. For a while, companies pour funding into the affected areas … in fact, I owe my career to the Loma Prieta earthquake in 1989 and the effect it had on my then-employer.
But memories are short and budgets are tight, and – as long as some new catastrophe doesn’t hit the headlines – someone (not in IT) will say, “Why are we spending all this money? This has no ROI for the business! Cut, cut, cut!” Funding plummets until the cycle begins again.
IT people know better. And they are worried about this tendency to cycle budgeting in these critical areas. That, I believe, is why the results of a recent survey of IT professionals, commissioned by Sungard Availability Services*, were so clear. When asked what should be last to receive budget cuts, 51% said that security planning programs should be the last thing to receive budget cuts. Close on the heels of that answer, 42% said that disaster recovery testing should be last in line for budget cuts.
You see, IT people know the facts. For instance, they know that, in 2014, the average organizational cost of a data breach was just over $5.85M – 15% higher than in 2013. They also know that companies spend an average of $686,000 per hour when experiencing downtime. ROI? The ROI for information security and disaster recovery testing is huge. It just happens to be measured in terms of what you don’t lose and what you don’t spend.
When it comes to information security and disaster recovery spending, there are three flavors of company. The first flavor is not required to adhere to any rules and regulations, for example, those dictated by the Payment Card Industry (PCI) compliance standards. So they don’t. Budgeting is easy, because they don’t spend any money in these areas.
The second flavor of company is required to abide by certain rules and regulations. So they do. Just enough. They’re in compliance, and that’s good, but don’t suggest going above and beyond the minimum, thank you very much.
The third flavor of company insists upon taking an active approach toward information security and disaster recovery, regardless of the headlines and regardless of any rules and regulations that apply to them. They spend a fair chunk of change on these programs in fair weather and in foul.
Here’s the kicker: if there is an adverse event in the news, flavors one and two get hysterical because they realize that they are not fully protected. There’s a flurry of spending for a while, then the cycle continues and spending drops off again to pre-headline norms. Companies of flavor three can pretty much ignore the news. They’re covered, and they know it.
And what about if an adverse event isn’t in the news … it’s on the doorstep? Well, flavor three companies have a good chance of bidding it adieu and getting on with their day. And if it does manage to get “into the house,” they can minimize the damage and the length of stay.
Companies one and two? Well, that depends on where they are in their budgeting cycle. If they’re at low ebb on spending, then it’s possible that a company hack or disaster will show them the true ROI of information security and disaster recovery.
The bottom line is this: it’s time to break out of the information security and disaster recovery budgeting cycle – and provide continuous protection (and ROI) for your company.
*The survey, conducted by SurveyMonkey Audience, reached 276 IT professionals and was completed in December 2014.
This article was previously posted on Forbes and Sungard Availability Services.