Who pays for InfoSec?

Protecting our digital assets has a cost, and the cost must be lower than the cost of losing our digital assets.

Who must pay for this cost?

Information security is no longer an IT centric responsibility. Even though the leadership may fall in IT realms (CIOs) or outside of IT (CISOs), individual responsibility and accountability is the way to go in organizations that aim for a digital trust inside and outside of the company.

Once we identify the System, Process and Control Owners, we may assign the cost of cybersecurity controls according to the value of the information. 

Traditionally, the cost of implementing and operating information security related controls has been assigned to the technical department that knows how to operate them. That is like charging electrical costs to the facilities area instead of charging the cost to each department according to their use of this resource.

Distributing the cost of information security proportionally to the value of information used and created in each department, is a new vision that will reinforce the importance of knowing and protecting all critical digital assets throughout the organization.

Yes, the CISO is the guide, but each department should collaborate with their share of the budget for their assigned controls. The higher the value of your data, the higher your financial contribution to InfoSec budget.

If you are interested in knowing more about InfoSec accountability, the following article may be of your interest: CO, PO, SO: The pillars of GRC accountability