Amrit posted a really nice piece about what drives spending on security. I agree with his three reasons: an incident, a requirement/law, and insecurity is impacting availability. I think I’ve known and accepted this for some time, with caveats. One thing to notice in these three reasons: rather objective, firm reasons that you can measure; binary, black or white, on or off. I think many organizations drive security spending in exactly that fashion; even some that won’t admit it to themselves.

However, if Amrit is correct, then there should be many companies that do not even follow best practices like using passwords, at least not until they suffer an incident. I can’t quite buy that.

I don’t buy this because the reasons he gives that are not reasons that drive IT security spending do in fact drive security spending in some places. Some people do believe in security ROI and enablement, some companies do try to be proactive, others do afford their security curmedgeons a high level of credibility enough to drive spending based on their risk assessments.

For instance, some people do buy alarms for their house, not because they’ve had an incident, are required to, or because it helps availability. It’s because of their personal, subjective risk assessment to prevent something bad from happening. They understand the potential incidents that may occur, and make a value judgement based on their comfort level, their environment, their assets, and their available funds.

But, if I were to make expectations on security spending, Amrit’s reasons are the ones I would book on. There are plenty of organizations whose security spending is entirely based on those three reasons.