Consider past investments for InfoSec as another possible cause for waning support. Over the past 5 years, the InfoSec industry has been flush with security technology spending driven a crowded product marketplace. While most technologies are built on sound principles for reducing risk, they require process definition and diligent execution to be effective. If we look beyond the challenge of effectively leveraging technologies, a general lack of performance metrics makes it challenging for executives to understand if the money invested has reduced risk.
The simple reality is that InfoSec needs to be viewed as an ongoing and defined investment in managing a business. Much like insurance, there is no ROI for resources dedicated to an information security program. Asking a fixed number of security resources to take on ever expanding responsibilities is like trying to increase insurance coverage without changing the fee structure. Information Security is like any other business function where the allocated funds for resources (people technology) should be defined as a percentage of corporate revenue. This approach will strike a natural balance between the available program resources and the desired funding available.
The flipside of a defined investment profile is a measurable performance plan. In other words, executives view InfoSec like any other part of the business. As funding is delivered, a pre-defined performance standard (result) for the spending is a natural expectation. InfoSec professionals need to demonstrate measurable improvements for the dollars spent. The simple fact that a data breach has not occurred (or been discovered) is no longer justification for ongoing spend…let alone a request for increasing spend. Develop baseline measurements, track performance and communicate results to the executive team. Until we can consistently demonstrate and communicate performance measurements…InfoSec will be subject to unmanaged executive expectations that will result in resource overload.