Searching for Return on Security Investments

Monday, November 02, 2009

Andrew Baker


There are several major challenges to the successful implementation of good information security in many organizations today.  It is not because business owners do not think that security is important.  No, the issues exist because they do not grasp the complexities that embody the Information Security profession, and thus make decisions that fail to account for the many nuances of a proper security posture in today’s business environment.

Here are the major challenges to good InfoSec:

- Misconception of Information Technology Complexity
- Misunderstanding of Information Security
- Underestimation of Business Risk
- Insufficient Staffing & Training

Information Technology is NOT getting more simple

Don’t let anyone fool you: technology may make it easier and faster to get results, and it may allow us to do many more things than in the past, but it doesn’t make things simpler.  Nor does it really reduce costs.  Ultimately, it just facilitates the transfer of costs from one place to another, whether inside the organization or outside of it.

I will address the misconceptions associated with IT complexity in more detail in an upcoming post, but suffice it to say, complexity is tied very much to risk. And our business environments grow more complex each day as we employ increasingly sophisticated technologies to try and do more with less. 

Misunderstanding of Information Security

Over the past few years, I have seen many of my colleagues and associates attempt to present requests for Information Security tools and technologies as they would for all other technology investments.   I look around on various websites and discussion forums and see people saying things like:

“We (security professionals) have to learn to speak the language of the business if we expect to get security investments approved.  The ROI needs to be clear.”

Let me say that I cannot agree with this sentiment, because it does not adequately reflect what Information Security is all about. 

InfoSec is about risk mitigation.  It’s about preventing or reducing incidents that negatively impact the business, and also dealing with the after effects of security incidents.  It’s about protecting critical business data and strategic information from external and internal enemies of the business, and also engaging in forensics after attacks or attempted attacks.

At the end of the day, Information Security is about identifying and mitigating risks though people (education), processes and technology.  In very few cases is there a standard Return on Investment (ROI), despite how fond people are of trying to get an ROI for everything.  This is because security investments are about revenue protection, not revenue enhancement.  They are about insuring the continuation of the business in the face of ongoing threats – some known, and some unknown.

(You could argue that revenue protection – ensuring ongoing revenue – is at least as valuable as revenue improvement, but that’s a different discussion.)

- What's the ROI on your business continuity plan?

- What's the ROI on your flood insurance?

- What’s the ROI on your life insurance?

Good information security (people, policies, technology) reduces the chance of a business ending event – and that is really the way it needs to be sold.  As business owners and senior executives already understand the concept of insurance, this should be a much easier sell.

Trying to push the information security peg into the same hole as other technology expenditures which are differently shaped will lead to frustration.

PLEASE NOTE: This does not mean that I think that there doesn’t need to be some standard of justification for information security purchases.  There must be a way to properly articulate and calculate the benefits being provided, with the costs the will be incurred.  It’s just that the concept of risk must be a core component of the calculations in order to avoid flawed conclusions.

Underestimation of Business Risk

Most businesses, particularly small businesses, are not equipped to understand or identify many of the technology-based risks that they face.  For instance, they believe that because they are not banks, they do not have information that is valuable to an attacker.  Or, they believe that because of their size, attackers will not be interested in what they have.

This perspective ignores the fact that there are multiple types of threats that every internet-connected business regularly faces:

- Honest Mistakes
- Disgruntled Workers
Random/Scripted External Attacks
- Targeted External Attacks

Honest Mistakes can occur through server and network configuration errors by administrators and other technical staff.  They can also occur by well-meaning employees who attach the wrong files to emails, send data to the incorrect addresses, fall for social engineering attempts, or leave critical data on systems that get lost, stolen or breached in some other way.  These problems happen with extreme regularity, as do the unfortunate opening of malware emails.

Disgruntled Workers can cause all sorts of problems for an organization for any variety of personal reasons.  Over the past few years, there have been a number of news accounts of disgruntled staffers selling or giving away vital corporate information to competitors, or otherwise exposing a business to liability.

These first two categories, known as insider threats, make up the bulk of security incidents – by a huge margin. Some reports put them as high as 75% of all reported security incidents.

Random/Scripted External Attacks are occurring all the time, with ever-increasing frequency. These attacks not only target operating systems, but the applications that run on them.  While there are various actions that individuals and organizations can take to make themselves safer on the Internet, it must be understood that the bad guys are also making adjustments to get through those defenses.  Today’s solid defense is tomorrow’s feeble deterrent, and new methods need to be employed all the time to improve one’s security posture.

Scripted attacks can hit you and your organization at any time.  There is no one trying to first find out if you have money, because the relative cost of initiating these attacks is tiny enough that it doesn’t matter.  Just as people don’t check to see if you would want the product they’re selling before they SPAM you, they’re not checking to see if you have money or really valuable data before they attack your network.  They’re just setting off their scripts and waiting for the data to come pouring in from their botnets.

Most internet attacks tend to start out this way…

Targeted External Attacks represent a small portion of reported attacks – probably less than 5% of all security incidents.  These involve attacks against a known target, usually with a known objective.  Industrial espionage and cyber-warfare by government agencies usually fall into this category. 

Some internet-based attacks start out as a random scripted attack, but once valuable data gets captured by the botnet, the nature of the attack is made more deliberate and personal, in order to reap a much better harvest.

Most executives seem to think that this is the most prevalent type of attack (but it is not), and unfortunately, they base their decisions on protection and risk around this assumption.

It needs to be understood that comments such as the following represent a flawed understanding of Information Security:

“Why do I need to spend this $50K on a security investment when we don’t have any data that anyone would want?”

Most organizations do not know how much their data is worth to them until they have been deprived of access to it.  This is why ransomware attacks are on the rise, because if someone can hold onto data that you need to run your business, you will find it necessary to pay huge sums of money to regain access to it – or just go out of business.

Insufficient Staffing & Training

With the improvements in technology, more can be done with less.  This is even more true for cybercriminals, who are not worried about paying taxes or benefits or real estate or any of the other expenses that normal businesses have to deal with.

They have significant resources at their disposal, and are willing to use them, because the payoff is high.  You don’t hear about cybercriminals being indicted for petty crimes. No, they are masterminding hundreds of thousands to millions of dollars, euros, or other currency.

So, do you suppose that a small team of engineers, with a multitude of tasks, including mastering the frequent change of technology and your business, can quickly and effectively defend your organization from these sorts of issues?

Do you suppose that they might need to be trained on the latest threats, the use of the most effect tools, and other information needed to keep your organization safe?  Sure, you can decide to outsource this function so that you do not have to bear the direct costs of staffing and training the security function, but what about employee training?  Surely, we’ve gotten to the point where it is clear that information security is not just about technology, but about people and processes, haven’t we?

If your employees are not adequately trained or are overworked, you can rest assured that they will make more mistakes, and that at least some of those mistakes will have security implications.

The Conclusion of the Whole Matter

It needs to be understood that comments such as the following represent a flawed understanding of Information Security:

“This $50K would be better spent on a technology investment that gets me $150K in sales over the next 2 years, vs. this security device that you can’t even assure me will prevent us from ever being hacked!!”

This does not come close to being an apples-to-apples comparison.  If business owners and senior managers wish to boil every decision down to a raw cost or expense, then they must first start with the cost of downtime.  Not in terms of systems alone, of course, but in terms of people and productivity.

What will it cost if these users or this department is unable to work for xxx amount of time?  What projects will be impacted and what will that do to revenue?

They must add the cost of reputation.

What will it cost us if we are breached? Will there be irreparable damage done to our brand or to our ability to sell our product or service?  Will we be exposed to any liability from clients or partners?

They must add the cost of intellectual property falling into the hands of a competitor.

Will our value proposition or competitive advantage be destroyed?  Will we have to engage in costly litigation to prevent their use of our technology? 

What we need is for senior management to understand what the proper role of information security is.  What we need is for them to understand what the threat landscape looks like, and how it potentially impacts the business.

Yes, we have to be able to talk the language of the business, but we need to understand that we are in the risk mitigation business, not the new-feature-to-improve-productivity business.  And it is incumbent for CFOs and other senior managers to understand the language of risk, and apply it to all aspects of their businesses.  We live in a world with geopolitical instability, and where all sorts of pandemics can arise, not to mention cyber-warfare. 

Risk MUST be more readily considered than it is today.  And it cannot solely be the responsibility of the Information Security team.

Information Security allows us to improve productivity as a by-product of not wasting resources cleaning up destructive worms or dealing with negative PR after a breach, in the same way that good health allows you to maintain a better income by keeping you out of the hospital and able to work and enjoy life.

As Information Security professionals, let's spend a bit more time educating our users, business partners and senior executives about the risks that we face, and the mitigation that we can employ.   And let us endeavor to do so as cost-effectively as possible, so that we do not try to buy $10 million solutions to protect data worth $2 million.  Finally, let us endeavor to get in front of new projects in the organization early enough in the development and deployment cycles to be effective at our jobs.

Good Information Security is like good insurance – it’s not solely about protection and prevention, but about mitigating risk and liability.  Once organizations understand that, they will begin to thank us for helping them protect their major investments and revenue streams.

This was originally posted on Talking Out Loud with ASB

Possibly Related Articles:
Enterprise Security
Risk Management Security Strategy
Post Rating I Like this!
Geri Fultz GREAT articulation of what I've been thinking all along. At first, the notion of ROI or ROSI intrigued me, but the more I read, and the more I compared info sec and IT Risk management disciplines to general security or general risk mgmt concepts, the more I thought the ROI approach was going down the wrong path. People understand physical security and the concept of "insurance", so perhaps we should adopt something akin to the generally accepted models and methods of those disciplines.
Fred Williams A comprehensive ROI is part of Risk analysis which is the start of the company's security policy. The security policy should have an upper mgmt champion and buy in from Sr mgmt.

Cisco has a great ROI calculator online that helps to justify the cost of their Cisco Security Agent (CSA) but it could provide some basic ROI calculations.
Andrew Baker Thanks, Lance

The reason that ROSI does not stand up to investment committee scrutiny is that it should be classified as insurance, not investment.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.