Understanding Infosec as a Cost Center

This blog is in response to the piece called "The Cost Center Illogic of IT and Infosec" by Ryan Miller. The following post is supposed help Infosec peeps understand how business leaders see the infosec department and how you can speak their language in terms of explaining the value of an infosec team. This article is also not talking about "security companies" or companies that sell some type of security consulting service or product, but rather your average corporation that has an internal infosec department.

Some quick definitions, an infosec team here is the team at a corporation or business that is responsible for digital security, incident response, audit, compliance, and/or threat modeling. Generally speaking, they support IT or legal in making sure the business is safe from several cyber risks, but more on this later. For the economics we will use the same definition as Ryan, from accountingcouch, "A cost center is a subunit of a company that is responsible only for its costs." Likewise, "A profit center is a subunit of a company that is responsible for revenues and costs." The difference between these definitions is revenue, which is defined as "the amount that a business earns from selling goods or providing services." So to be a profit center in a decentralized company your organization needs to provide a good or service.

The infosec department isn't making most companies revenue; it's not the product, nor is it the service being sold, so it's not a profit center. (Side note, the reason companies want to find their profit centers is so they can measure the total return on your investments, and thus understand their growth and investment strategies.) Infosec does cost the business money, such as salaries and software licenses, so it is a cost center by our basic economic definition.

But this isn't the end of the story, being a cost center isn't a bad thing, so lets talk about cost centers really quick. For example, both the police and fire departments are cost centers, but no one is arguing that these are unnecessary services in society. Infosec provides tremendous value to an organization in terms of risk mitigation. Infosec can also improve the quality of your products, the efficiency of your team, and even your standing in the market, and this value should be captured and shown to the executive team, but this kind of value is hard to capture and rarely will it translate to direct revenue or profit.

Why is this value add important to understand? Because in explaining this to your upper management you should strive to explain the qualitative value add over a quantitative value add, as the former will likely be easier to demonstrate. Granted, there is a quantitative value add of the money the infosec department has saved in issues that have occurred. While upper management is looking to maximize profits, they also understand risk and just like the fire department this is where an infosec team can help curb extreme risks the organization faces. When you start thinking of it in those terms you can also see how the infosec team is a cost center with a finite budget. That is to say the max your willing to spend on infosec should be the maximum it can help you prevent in the terms of a risk occurring. Another way to put that, is you invest in the infosec team to reinforce your other investments (which make money), not to make money on its own.

What does this mean for security or infosec teams? It means you probably have a budget, but that's okay, because hacking is all about making something work in a world of constraints! It also means you can potentially get more budget by explaining the qualitative value adds an infosec team brings, as opposed to trying to argue how an infosec team can effect the bottom line in daily operations. I hope this post helps explain the economies of most security teams, as most entrepreneurs and companies invest in their security team based on the value of what they are trying to protect.