A secure organization must understand what assets to protect, the internal and external threats to those assets and where the organization is most vulnerable.
Ongoing risk assessments help organizations locate their greatest vulnerabilities. This portion of the budget should encompass every risk assessment tool, from ethical hacking and penetration testing to social engineering.
But beware: Many security consultants advise organizations to spend more than 10 percent on risk assessment. Penetration tests, however, aren't needed throughout the network. Tests in a statistically relevant sample of the organization area can allow you to understand systemic issues and make appropriate recommendations.
20 cents: Technology
Here's where geeks have their fun. They love firewalls, virtual private networks, vulnerability scanning tools, intrusion detection systems, access control tools -- you name it.
The geeks have got it right, at least in part. Organizations must keep up with the latest technology. A single system with outdated or poorly configured software can seriously compromise network security.
But before spending huge sums on additional "techy toys," organizations should fortify their foundation by hardening existing systems. Mounting good technology onto an old, crackable system exposes the expensive, new technology to easy intrusion.
15 cents: Process, Process, Process
Security depends both on management process and technological wizardry. Ongoing, life-cycle development -- creating new processes and modifying old ones -- can keep networks humming smoothly for years. Security is a continuous initiative involving everyone in an organization, from top to bottom.
Security should be viewed as a state of mind that must be engineered into a physical system. Automobiles didn't really get safer until safety was made a goal and engineered into them. Before that, seat belts merely restrained passengers, holding them in place in what were otherwise not-so-safe vehicles.
The same holds true for networks. Until security is engineered into them, as a management goal and process, they'll be prone to intrusion.