Increasingly, IT leaders are using a risk-based model that directs security spending to the places where a breach would cause the most damage to the business. Companies such as Textron and Standard Chartered Bank are already headed down this road, using metrics to prioritize security risks and allocate resources to mitigate them more efficiently. Some companies use a dashboard to keep an eye on all of those security metrics from a single console. Some classify data at different security levels -- much like intelligence agencies do -- so they can match the security effort to the classification level.
This new model is replacing "gut feel" decisions with equations like Risk = P x L, where P is the probability of an event that will cause a financial loss of L. It's a far cry from installing a firewall. But a business-driven, cost-benefit approach to security investments is something the chief financial officer, CEO and board of directors can embrace, which may be the most important benefit of all.
Mitch Betts is executive editor at Computerworld. Contact him at mitch_betts@computerworld.com.