IT Security Spend is not a tax

In late July 2022, I had a really enjoyable conversation last Thursday with Dave Sobel about whether cybersecurity and security spending should be seen as a tax or not. If you missed the live stream, and want to get my take (not a tax), here you go.

While you're at it, I also highly recommend Dave's #podcast the Business of Tech.

Key points discussed

The conversation with Dave was relatively short, but I enjoyed the opportunity to push back on a few things. Specifically, I feel that many characteristics of taxes are really not applicable for the way companies approach cybersecurity spending. Or at least, they're not how firms should think about their cybersecurity investments.

How do taxes work?

Taxes are implemented by a nation state or other regulatory entity that everyone is subject to. That entity then sets the amount due, and also decides how that money gets used, on behalf of everyone who pays. Individual firms generally don't get the opportunity to decide how the tax that they paid is used on their behalf.

How is cybersecurity different from a tax?

Firms decide how much to pay on their own. This also means that firms can choose not to pay anything. It's a bad choice, but it's a choice that they can make. Secondly, firms decide how to use that money - how much and for what purposes.

How do people feel about taxes?

One point that I raised is that people and corporations have a negative view towards tax. There are feelings of resentment, and there are rewards from finding creative ways to minimize your tax bill.

How should firms feel about cybersecurity spend?

Many firms do feel similarly about what they have to spend on cybersecurity - resentful and looking for ways to reduce the amount spent. However, cybersecurity should be seen as an enabling function - when security is working well, firms can innovate with greater degrees of freedom.