Security spending could be compared to the stock market. It increases and decreases depending on intangibles such as how “at-risk” the organization feels rather than on objective measures such as the number of cyberattacks, vulnerabilities or data breaches.

An organization may put technical controls in place, educate employees and establish new policies immediately following a breach, but over time the technology becomes outdated and no longer protects the organization as it should. Memory of the breach fades, causing exceptions to be made to the firm’s policies and leading to forgetfulness in employee adherence to best-practice procedures. Eventually, another incident causes the organization to spend money again, and the cycle starts all over.

This situation is detrimental to companies in two ways. First, it results in periods when the organization is quite vulnerable. Also, in the end, more money is spent on security than would have been required if security spending were consistent from quarter to quarter. In fact, effective IT security solutions contribute to business success and profitability. Let’s explore this by looking at major areas where security dollars go; technology, governance and training.


Technology such as firewalls, Intrusion Detection Systems (IDS), antivirus software, authentication systems or auditing and alerting systems, is essential to protecting organizational information assets but technology is quickly outdated. More-sophisticated attacks or better equipment on the part of the attackers necessitates increased investment by organizations to protect themselves.

Consistent spending keeps technology up to date so that it continues to address current risks. It is also much easier to make incremental improvements to address new risks rather than design a completely new solution. Those who maintain security systems have a better understanding of how the product protects against threats and how it can be modified if necessary.


Governance includes the policies that spell out the organization’s approach to information security such as how users will be authenticated, how data is classified, roles and responsibilities and sanctions for those who do not follow policies. Procedures document how specific tasks are performed to accomplish what is set forth in the policies. When security spending is consistent, policies are updated so that they are in line with business objectives. When inconsistent, policies may conflict with business objectives and the policies are either ignored or business objectives are not met.

Similarly, consistent security spending allows for procedures to be updated as technology and forms of attack change. When spending is irregular, procedures may be followed but won’t adequately protect the organization or informal undocumented procedures may occur — which affects operational effectiveness. Lastly, policies are enforced when security spending is systematic, leading to regular patterns of behavior and a culture that sustains security rather than obstructing it.


Training is also more effective with consistent security spending because it keeps security awareness top of mind. Otherwise, employees will need to be completely retrained on information security because much of the information is forgotten.

So how is security spending addressed in your organization? Is it consistent and proactive or inconsistent and reactive?