In the IT arena, security spending has traditionally been tactical, even scatter-shot, with a rationale difficult to pin down beyond a vague idea that -- to take a cue from Emil Faber, founder of Faber College of Animal House fame -- Security Is Good. The risk-based security model is an effort to change that. "Organizations are beginning to deal with risk coherently," says Chris Byrnes, an analyst at Gartner Inc. "Rather than viewing infosec as an island, they're looking across a broader set of risks."

The risk-based model can be a big win for the enterprise because it directs spending where it's needed most, resulting in stronger security. But IT groups are struggling to master the challenges of the still-new concept.

Logical Progression

In the risk-based model, IT and security managers work with business units to identify the biggest threats to the business and then set priorities for security investments. In essence, this model is a cost-benefit analysis to ensure that the security budget is spent wisely.

Clearly, then, the risk-based security model is a logical outcome of the tightening bond between business priorities and technology expenditures. Just as portfolio management and other disciplines tie IT spending to the most productive business initiatives, risk-based security prioritizes spending by the potential damage of various threats.