Information Security: Why Bother?

Sunday, December 09, 2012

Simon Moffatt

65c1700fde3e9a94cc060a7e3777287c

I have heard this sentiment, perhaps not put quite as bluntly as that, on several occasions over the last few years when working with clients and engineers on security related projects.  My role would have been to help embed a particular piece of security software or introduce a piece of consultancy or business process which would help improve the organisations security posture.

The question, often raised as a bargaining tool, is often focused on the, ‘well I understand what you propose and I know it will increase the security of scenario X, but why should I do it?’.  In honesty, it is a good question.  Organisations have finite budgets which will cover all of IT and related services, and it is a fair objective, to have to show and prove, either via tangible or intangible RoI, that a piece of software or consultancy will have a beneficial impact on the organisation as a whole.

Justification and SRoI

Return on Investments, or Security Return on Investments are clearly a useful tool for proving that a particular security related project will have a benefit to an organisation.  An organisation will probably already know that this value will break even very quickly, before even starting to look at service and software providers to help implement such a project.  During the business case and feasibility study phase, a basic high level SRoI could generally be used to see if initiating the project is actually worthwhile.

The main drivers for many security related initiatives have often been related to external factors.   I refer to these factors as external, as I am referring to factors that are generally reactionary or not originating from the overall strategy of the business.  These factors could include things like compliance requirements, responses to previous security attacks or data breaches.  If these factors didn’t exist, would those security projects and budgets be allocated?

Security as a default

Unfortunately, the answer may be no, hence the thoughts prompted by this article title.  Security is often not seen as essential to the business strategy either via from a delivery, efficiency or cost savings perspective.  It is something the organisation often feels they have to do.  “If we don’t sort the access control process out, we’ll get fined”.  “If we get hacked again, and lose more customer records, our reputation will be unrecoverable”.  Sound familiar?

Security as a default option is probably some way off the agenda for many enterprise IT strategists.  The fail-safe option is costly, complex and evolving.  The generation of the CISO role, is a great step forward in providing security level awareness to the overall business strategy.  Whilst currently that role is really focused on completing the ‘must’ have security practices, over time this may evolve to allow security to become a default option.  Default within the software development lifecycle, new business processes, and employee attitudes and so on.

The key to making this happen will take a careful balance of showing the tangible and non-tangible benefits of having a better security posture, without restricting business or employee agility.

Information Security: Why Bother?

I have heard this sentiment, perhaps not put quite as bluntly as that, on several occasions over the last few years when working with clients and engineers on security related projects.  My role would have been to help embed a particular piece of security software or introduce a piece of consultancy or business process which would help improve the organisations security posture.

The question, often raised as a bargaining tool, is often focused on the, ‘well I understand what you propose and I know it will increase the security of scenario X, but why should I do it?’.  In honesty, it is a good question.  Organisations have finite budgets which will cover all of IT and related services, and it is a fair objective, to have to show and prove, either via tangible or intangible RoI, that a piece of software or consultancy will have a beneficial impact on the organisation as a whole.

Justification and SRoI

Return on Investments, or Security Return on Investmentsare clearly a useful tool for proving that a particular security related project will have a benefit to an organisation.  An organisation will probably already know that this value will break even very quickly, before even starting to look at service and software providers to help implement such a project.  During the business case and feasibility study phase, a basic high level SRoI could generally be used to see if initiating the project is actually worthwhile.

The main drivers for many security related initiatives have often been related to external factors.   I refer to these factors as external, as I am referring to factors that are generally reactionary or not originating from the overall strategy of the business.  These factors could include things like compliance requirements, responses to previous security attacks or data breaches.  If these factors didn’t exist, would those security projects and budgets be allocated?

Security as a default

Unfortunately, the answer may be no, hence the thoughts prompted by this article title.  Security is often not seen as essential to the business strategy either via from a delivery, efficiency or cost savings perspective.  It is something the organisation often feels they have to do.  “If we don’t sort the access control process out, we’ll get fined”.  “If we get hacked again, and lose more customer records, our reputation will be unrecoverable”.  Sound familiar?

Security as a default option is probably some way off the agenda for many enterprise IT strategists.  The fail-safe option is costly, complex and evolving.  The generation of the CISO role, is a great step forward in providing security level awareness to the overall business strategy.  Whilst currently that role is really focused on completing the ‘must’ have security practices, over time this may evolve to allow security to become a default option.  Default within the software development lifecycle, new business processes, and employee attitudes and so on.

The key to making this happen will take a careful balance of showing the tangible and non-tangible benefits of having a better security posture, without restricting business or employee agility.

Originally cross posted from http://www.infosecprofessional.com/2012/12/information-security-why-bother.html

Possibly Related Articles:
11100
Budgets Enterprise Security Policy Security Awareness Security Training
Enterprise Security ROI CISO Information Security
Post Rating I Like this!
1de705dde1cf97450678321cd77853d9
Ian Tibble "‘well I understand what you propose and I know it will increase the security of scenario X, but why should I do it?’. In honesty, it is a good question."

No, its not a good question. Well, ok, it is a good question if you failed to explain the risks first time around, or the risks were not carrying significant potential impact. Your case has to start with a tech foundation, then depending on who you're talking with, more or less detail is forthcoming. You can choose to use a purely managerial approach if you want (good for the image etc), but if the tech foundation is not there, the confidence will be lacking. The message will lack substance and therefore value. Anyone can quote best practices from a 10 minute google.

Once you start talking about RoI and past incidents, you are already on a loser.

"If these factors didn’t exist, would those security projects and budgets be allocated?" this depends on your approach. You have to have covered your end of the argument in a confident way (and also gotten it in writing). Then whatever the outcome, you have done your bit.

We cannot start talking about incidents, breaches...because this is an act of desperation. We can only state the case for security investment in real terms. Talking about incidents is going down the wrong path. If you understand the actual risks, then there is no need to talk about past events. This is what leads to mistrust of security professionals, and ultimately it leads to where we are today...bare compliance security strategies.
1355972460
65c1700fde3e9a94cc060a7e3777287c
Simon Moffatt Hi Ian. Thanks for the feedback. Our aim as security professionals is to try and embed security from the top down of an organisation, rather than to simply fix technical level vulnerabilities. Historically, security has only really been applied at a technology level, ultimately on an as-needed basis. Security needs to be taken to the CxO level which is where the view of this post is coming from. Ultimately many orgs will see security as a 'nice to have' not as an essential, regardless of risk.
1355995397
1de705dde1cf97450678321cd77853d9
Ian Tibble Simon, where in my response have I even implied that our aim is to "simply fix technical level vulnerabilities"? I think you saw the dreaded four letter word "tech" and extrapolated the rest.

"Historically, security has only really been applied at a technology level, ultimately on an as-needed basis". This can be a potential result, in that I agree, but in 90% of cases, if there has been a failure at your C level, security will be non-existent.

Unfortunately the details are important. At the high level viewpoint from your position in the clouds, your messages need to be delivered with confidence. If your messages are not backed up by advice from lowly folk, call them Analysts if you will, and their manager, and their manager (depending on how many levels you are above them in the food chain) then your message lacks confidence and value.

Most importantly...you will never get ops buy-in if your Analysts are not versed in infrastructure challenges and speak the same language as ops. How many organizations will approve any changes without ops approval? Getting sign-off on a managerial, ISO 27001 type baseline policy at your level is one thing...but when it comes to implement the policy...

A purely theoretical, best practices approach carries negative value. Negative? Yes, because its consuming valuable resources at your CxO level while not actually being applicable to the real operational, IT world - the world where the information assets actually reside.

Information Security is a phrase and then there is Information Technology. Did you notice the connection? If you try to do Information Security under the pretense that it is not related to information technology, then congratulations, you are part of the problem, not the solution.
1355999433
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.