Rational Survivability

Gunnar Peterson’s been on a tear lately regarding how security spending is out of control and out of alignment with the business. 

He wrote about it here in a post titled "Network Security Budget Cruft – Why you are probably spending waaayyy to much on network security" and this morning pointed us to an interview he gave on the same topic with ITBusinessEdge.

Here’s the Reader’s Digest version:

Question: Is the realignment important?

Peterson: I think it is a big deal. I really think IT security is out
of control; in many cases, they are spending $10 to protect something
worth $5, and in other cases they are spending a nickel to protect
something worth $1,000. If you look at the numbers objectively, you see
why it is out of control, and you can use the investing habits of the
business to improve the situation

Coincidentally, I am giving the keynote at this year’s Information Security Decisions show in Chicago on November 5th and will be discussing about how "Security" needs to embrace disruptive technology and innovation. 

One of the most important facets of this presentation is how security managers must build and manage a strategic security portfolio with investments made over time that align to the business; if you can’t demonstrate how what you do supports the strategic initiatives of the company, you’re in a bad place.  The business innovates driven by the need to corner competitive advantage.  Security needs to do the same:

Question: How do you start building a case to confront the issue?
Peterson: You
take the budget and prove it in numbers. When you look at how the
business invests and see how security invests, many times it is the
opposite. You have to ask questions about that. It’s not a one-to-one
match. That should be the starting point, and if you want to invest
more in other areas, the burden is on you to prove [it is justified].

As Gunnar alludes, if it were easy we’d be there already and it’s really important to understand that when we talk about these things it should be understood that it’s not going to happen overnight:

Question: These spending habits must be pretty deeply engrained. It must be a big challenge to turn it around.
Peterson: It
is going to be hard to change some of these things overnight. The
company has licenses, legacy investments. I would look to where the gap
is coming from. When you look to resolve this, I think investing in
training and awareness can go a long way. It can’t completely solve the
problem, but can help by [for instance] showing them how to write more
secure code, training database administrators to configure their
databases more securely. Doing that is not a huge investment, but
ultimately having people helping to bridge the gaps is a huge advantage.

I think Gunnar’s topic goes hand-in-hand with the discussions we’ve been having lately regarding the misalignment and missing language used to describe what we do.  IT security is one of the only crafts I’ve seen where transparency and accountability for spend and alignment are represented as being too difficult and allusive to demonstrate.  From Gunnar’s initial post:

Awhile back, Dan Geer posed the following questions

How secure am I?

Am I better than this time last year?

Am I spending the right amount of $$?

How do I compare to my peers?

What risk transfer options do I have?

Dan asserted, and I agree, that these are perfectly reasonable for
senior management to ask, virtually any part of a business can provide
some enlightenment on them, and the exception is infosec which has
virtually no way to answer any of these today.

These questions are not only reasonable but required.  If you can’t answer them — and articulately defend your assertions, then you’re most certainly engaged in the practice of the bastardized and neutered ugly stepchild version of "Information Security" that our industry has become.

"I don’t know," "I guess so" and "we use a firewall and SSL" aren’t professionally-accepted answers in most career paths to these questions, why are they in ours?

Thanks for the great read, Gunnar.

/Hoff

*** Update: In a freaky bit of coincidence, Alex Hutton was remarking on a comment I made on Shrdlu’s Layer8 blog regarding security investments and pointed to Gunnar’s post also.  Alex’s questions are really good…