Jeremiah Grossman brought to my attention a philosophy for creating security budgets. This philosophy was proposed by Gunnar Peterson and is very simple. The best way to determine how much to spend on various parts of security is to look at the IT budget and how it is allocated. Draft the security budget to have the same allocations. Then tweak where things don't make sense.
The issue with current budgeting process is that it takes into account what has been done before and what seems scary going forward. Most of the spend is focused on the network and almost none goes to the application. As Gunnar says in a different post “...they are spending $10 to protect something worth $5, and in other cases they are spending a nickel to protect something worth $1,000. If you look at the numbers objectively, you see why it is out of control...”
Some of the comments on Gunnar's blog talk about how doing things this way isn't very strategic. But if the security spend is based on the business spend, and the business spend is strategic, I don't understand how the security spend would not be strategic.
Making the shift to looking at security budgets in this way seems like a simple thing. Is there something I'm missing that is making this challenging for people?