Answering A Very Difficult Value Question Regarding Information Security
Earlier this week I was in Nice, France speaking on the topic of the impact that the consumerization of IT has on security and vice versa.
We had a really diverse set of speakers and customers in attendance.
When you can pool the input and output from very large financial institutions to small law firms against the presentations from business innovation experts, security folk, workforce futurists, industry analysts and practitioners, you’re bound to have some really interesting conversation.
One of the attendees really capped off the first day’s discussion for me whilst at the bar by asking a seemingly innocuous (but completely flammable) question regarding the value that Information Security brings to the table against its ability to provide service and not stifle agility, innovation and general business practice.
This really smart person leads the innovation efforts at a very large financial institution in the UK and was quite frankly fed up with the "No Department" (InfoSec group) at his company. He was rightfully sick of the strong-arming speedbumps that simply got in the way and cost money.
The overtly simplified question he posited was this:
Why can’t you InfoSec folks quite simply come to your constituent customers — the business — and tell them that your efforts will make me x% more or less profitable?
In his organization — which is really good at making decisions based
upon risk — he maintained that every business decision had assessed against it an
acceptable loss figure. Sometimes those figures totaled in the
billions.
He suggested then that things like firewalls, IPS’s, AV,
etc. had a near zero-sum impact when measured in cost against these
acceptable losses. Instead of the old axiom regarding not spending $100,000 to protect a $1,000 asset, he was actually arguing about not spending $100,000 to offset an acceptable loss of $1,000,000,000…
Interesting.
I smiled as I tried to rationalize why I thought for the most part, nobody I knew could easily demonstrate the answer to his question. Right, wrong or indifferent, I agreed that this was really a fundamentally crappy topic to bring up without something stronger than wine. 😉
It turned into quite an interesting conversation, during which I often found myself putting on various hats (architecture, security, operations, risk management) in an attempt to explain — but not justify — the status quo.
I demonstrated what I thought were some interesting counter-questions but for the most part found it increasingly uncomfortable each time we ended up back at his initial question. The more complex the answers, the more divergent from the concept he was focused on became.
Imagine if you were the CSO and were being asked this question by your CIO/CFO/CEO as the basis for the on-going funding of your organization: "We can comfortably sustain losses in the hundreds of millions. Why should I invest in security when you can’t demonstrate that you enable my business to achieve its business goals in a way which can make us more profitable or offset my acceptable losses?"
It’s why businesses exercise any option to swerve around the speedbumps IT/Security are perceived as being.
heh, 🙂 it is general misunderstanding but from black pr prospective things can get quite nasty. Let's have a look at the TJX case. The group stocks has dropped dramatically since the their security breach (billions of lost revenue). What are the chances this to happen to the organizations in question? What are the chances of global warming catastrophe? We don't know! However, what we know is that we can make it damn hard so it is less likely to happen. I don't think that there is anyone that can argue that.
Ah, the old "it's an insurance policy" argument…
The problem is that given the option, many people simply wouldn't buy insurance if they didn't have to by law given their appetite for risk.
This was the gentleman's point; why should the business continue to have to keep buying all this security stuff when it doesn't offset his acceptable loss? All it does is cost more without demonstrating that it quantitatively improves the risk posture.
Making it "…damn hard so it is less likely to happen" only goes so far in an argument in an industry that continues to show contempt for business process by not demonstrating "value" like every other element does — by appearing on the P&L and demonstrating how it contributing to bolstering the bottom line.
There is so little transparency in what we do because the efforts are communicated as black magic, and it's not. In many cases it's purely treading water doing the best we can to slow down the opponent.
What's the worth, exactly? If you can't calculate that, it's not fair to suggest that anyone asking the question is wrong in doing so…
By the way, the gentleman I was conversing with had a PhD in Statistics… 😉
Thanks very much for your comment.
/Hoff
Speaking out of school here, but security isn't the only corporate function that has this trouble. Marketing wrestles with the ROI question. HR, I believe, exists mostly as a compliance function (from the beancounter POV) and there's always some gravity pulling security in that direction also.
I still think that with good information sharing, we'd eventually wind up with something like actuarial tables for determining appropriate security spending. But that's certainly a long way off.
ds
Call me insecure, but the British gentleman's question is dead on. I'm the ISO at a small financial institution and I constantly play devil's advocate with myself in asking this very same question. Our organization is small enough and still so uptight that doing security is simply a given, if only to meet compliance requirements. My challenge is to show value given my bank's risk appetite. And, frankly, if management isn’t challenging me in this regard as well then I don’t think they’re doing their job.
At the end of the day all that matters is what kind of loss the organization can sustain. I don’t think actuarial tables for security risk will ever happen. Instead, I believe this is part of the maturity cycle, and the evolution will be intuitive and anecdotal as ISOs, CIOs, and CEO's come to understand that while some loss is inevitable, catastrophic failures such as TJX will be rare given a modicum of common security sense. I think we're already to the point where a business can reasonably say "I'll just take my chances" as a response to a given risk. To steal Hoff's metaphor from a previous post, infosec risk is a colander, and we'll accept larger and larger holes as time goes on. I think us infosec folks will continue to be necessary and valuable as managers of increasingly commoditized security programs, but we’re going to be called to the mat and asked to prove our worth in dollar terms. FUD and “best practices” is going to be harder and harder to sell.
As if the pictures of Worldcom and Enron executives being led in handcuffs to their court hearings isn't enough? =)
But here's one of my little secrets: at a bare minimum, security is loss prevention. Now the fun part is that how do you measure losses that haven't happened because you prevented them? About all you can do is look at the cost of breaches for other people and say "hey, we extrapolated from what happened here and look, we saved you money!"
The other side of the coin is this: fire all your security staff, see how long you last, then rehire them because you now know the true cost/benefit comparison. But then again, I've been on vacation for a week, so I'm a little fiesty.
@Rybolov:
1) I actually asked if they had baselined their risk posture WITHOUT firewalls and InfoSec staff in place. Of course they had not, but that's neither here nor there in his mind.
It's really a backwards/sideways way of skirting the issue. Asking me to prove the corner case as a roundabout justification that the InfoSec team themselves can't make is, well, a huge piece of the problem!
And just so I'm clear, you're suggesting we're able to link the installation of firewalls and A/V, etc. (technology) to the ability to stem losses by preventing corruption and fraud that is social in nature?
Those controls are slightly out of scope from this discussion…and if you're about to say that this is all part of "risk management" I'd agree with you. But that's not what we're talking about here…we're discussing "information security" which, as it is practiced today, is *not* risk management.
That must've been a long week off 😉
/Hoff
By coincidence (or was it conspiracy?) I was posing a similar devil's advocate question to David Lacey http://www.computerweekly.com/blogs/david_lacey/2… and Stuart King http://www.computerweekly.com/blogs/stuart_king/2…
Sounds a good project, trying to find out which controls really matter, in what context, and by how much.
It was a fantastic week, although somebody got the great idea to put a full-fledged doppler radar on top of "mah buildin'". All I have to say is "Good luck getting the FAA, FCC, and a handful of other government agencies to agree with you, Dulles Airport being 5 miles away and all."
And no, we have the same ideas on this, you should know that by now… once you put the cost/benefit/risk comparison in, you're doing risk management. Otherwise, you're just a cost center. Cost centers are a target for reduction.
Some info security efforts can show this kind of return, such as automating identity and access management can often demonstrate a real ROI based upon efficiencies in customer sign-up/service and order processing.
If nothing else, this reduces cost by n%, thus increasing profit.
One other thing you can demonstrate is that current recovery cost from an incident is at a minimum $90 per record compromised, not to mention loss of business due to damage of reputation.
Rich Bejtlich had a ton of stuff on this ack in July, as well: http://taosecurity.blogspot.com/2007_07_01_archiv…
(look for the 'ROI' posts…)
Bejtlich? We don't need no stinking Bejtlich!
I was in on that set of rants, btw.
See my masterful equalizer (from July also) that suggests ROI should be replaced by RROI. I'll let you read it to figure that out… http://rationalsecurity.typepad.com/blog/rroi/ind…
/Hoff
Security does more than (allegedly!) reduce losses and noncompliance fines. It is also a confidence booster and business enabler, in the sense that managers feel they have better control over outcomes of, for example, the launch of new web applications. With no security in place, someone asking those awkward "What if?" questions the day before go-live will give the managers a sleepless night.
Hence, security = management sleeping pill.
That equation works at another level too. Information security, as a subset of risk reduction, is inherently boring. Families waiting for a rollercoaster ride at a theme park don't want to know anything about the ride's safety arrangements, on the whole. The ride designers deliberately make the rides as scary and hence thrilling as possible, while actually making them as safe as humanly possible. OK, managers aren't exactly thrill seeking theme park patrons but many believe their job is to take chances, push their luck further than their competitors but just shy of losing the farm. The No Department is far too conservative and, yes, deadly dull.
[By the way, I parachuted in to a No Department once, as acting /interim infosec manager replacing someone who left at short notice. It was a horrible situation for all involved and a real downer for me too. Application development teams and others would avoid us like the plague because they already knew the answer would be "No!". It took about 2 months effort to turn the team's attitudes around, as far as "Yes, but" anyway. We made what I called calculated compromises, with the aim of not dropping any real big clangers but, more importantly, re-engaging with IT and the business. As the team's contacts and self-esteem rose, so did morale and productivity. From a black start, I was sad to leave them behind and move on to my next assignment. I wonder how things turned out.]