What is Security?

Friday, November 19, 2010

Danny Lieberman


So what is security anyhow?

Security is not about awareness.

A lot of folks talk about the people factor and how investing in security awareness training is key for data protection.

I think that investing in formal security awareness training, internal advertising campaigns and all kinds of fancy booklets and cards for employees is a waste of time and money.

I prefer a CEO that says “here are my 4 rules” and tells his staff to abide by them, who tell their direct reports to abide by them until it trickles down to the people at the front desk. Making common sense security part of the performance review is more effective than posters and HR training.

Security from this perspective, is indeed an exercise in leadership. Unfortunately, in  many organizations, the management board sees themselves as exempt from the information security rules that they demand from their middle managers and employees.

It might be a general manager bringing his new  notebook into the office, jacking into the corporate LAN and then attaching a wireless USB dongle effectively bridging the corporate network to the Internet with a capital I, not understanding and not really caring about the vulnerability he just created.

Security is not an enterprise GRC system

If you take a look at the big enterprise GRC systems from companies like Oracle – you see an emphasis placed on MANAGING THE GRC PROCESSES – document management and signature loops for ISO certification, SOX audits etc.

I suppose this makes the auditors and CRO and Oracle salesperson happy but it has nothing to do with making secure software.

In my world – most hackers attack  software, not audit compliance processes and GRC documentation. In other words – managing  GRC processes is a non-value add for security.

Security doesn’t improves your bottom line

Have you ever asked yourself why security is so hard to sell? There are two reasons.

1) Security is  complex stuff and it’s hard to sell stuff people dont understand.

2) Security is about mitigating the impact of an event that might not happen, not about making the business operation more effective.

Note a curious trait of human behavior  (formalized in prospect theory – developed by Daniel Kahneman and Amos Tversky in 1979), that people (including managers who buy security) are risk-averse over prospects involving gains, but risk-loving over prospects involving losses.

In other words – a CEO would rather take the risk of a data breach (which might be high impact, but low probability) than invest in DLP technology that he does not understand.

Managers are not stupid – they know what needs to be done to make more money or survive in a downturn. If it’s making payroll or getting a machine that makes widgets faster for less money – you can be sure the CEO will sign off on making payroll and buying the machine before she invests in that important DLP system.

Since almost no companies actually maintain security metrics and cost of their assets and security portfolio in order to track Value at Risk versus security portfolio over time – a  hypothesis of return on security investment cannot be proven.

Indeed – the converse is true – judging by the behavior of most companies – they do not believe that security saves them money

So what is security?

It’s like brakes on your car. You would not get into a car without brakes or with faulty brakes. But brakes are a safety feature,  not a vehicle function that improves miles per gallon.

It’s clear that a driver who has a lighter foot on the brakes will get better mileage, and continuing the analogy, perhaps spending less money on security technology and more on security professionals will get you better return on security investment.

Challenge your assumptions about what makes for effective security in your organization.

Is enterprise security really about multiple networks and multiple firewalls with thousands of rules? Perhaps a simpler firewall configuration in a consolidated enterprise network is more secure and cheaper to operate?

Cross-posted from Israeli Software

Possibly Related Articles:
Policy Budgets Security Strategy GRC
Post Rating I Like this!
Jamie Adams Danny, as always an excellent post. I especially like the leadership reference and why security is so hard to sell. I develop and sell a security product (os hardening to be exact) and it is like selling "insurance" to people. If someone has never experienced a hurricane or earthquake, they're less likely to buy insurance. Especially, if they don't believe they are in location which is susceptible to such events. Thanks for another great post.
Anthonie Ruighaver Danny: I'd like to extend your statement of "challenge your assumptions about what makes for effective security" to "challenge your beliefs and assumptions about what makes for effective security".
I find that few security professionals are willing to challenge their beliefs.

For instance, your other statement about "companies do not believe that security saves them money" is reflecting on the fact that for most organizations information security is about money, but unfortunately most security professionals do not share that belief. They believe that prevention of incidents is the ultimate goal of information security ( a belief that is unfortunately reinforced by them being blamed when a major incident occurs).

As a result most current approaches to information security do not provide for an adequate reduction in the total cost of security incidents and security investments: For most organizations that have a reasonable large security budget "security does not save them money"
Funnily enough, many small companies that do not have a reasonable security budget are still on that part of the curve where security does save them money.
Danny Lieberman Anthonie,

That is really an excellent insight - noting that most security professionals see prevention as their mission and not cost-effective security for the operation.

The notion of "saving money" is a bit vague and often misused by security vendors and even by auditing organizations like COSO who should know better but get carried away by rhetoric of how compliance and security improves the operation - perhaps on an ethical level but not in the P&L.

There are direct and indirect costs in a business.

Consider a manufacturing company.

For direct costs,like the cost of producing goods, security doesn't save money at all.

For indirect costs, like sending quotations and price lists to customers, security is an overhead to the communications and software costs involved in secure data transfer. For indirect costs - the COST-EFFECTIVENESS of security is of supreme importance - if the product and support is more expensive than the benefit and if the UI is so clunky that sales people just ignore it and bypass the system using their iPhone or gmail accounts - then the security component to the secure data transfer is not cost-effective.


Anthonie Ruighaver Yes, the problem is in the concept of "saving money" A car without working brakes will have an accident without any doubt, so repairing the brakes will save money. But how do you save money if you prevent something from occurring that was not very likely to occur anyway?

So, if the cost of producing goods is regularly influenced by security incidents, improving security could save money. But trying to prevent all potential incidents is likely to cost lots of money, not save money. As not all incidents can be prevented anyway, you'll need incident response capability to try to save money by containing incidents. Again responding to every incident may not be cost effective, so you will need to have a strategy to ensure incident response costs are managed so this necessary aspect of information security does save money.

Furthermore, some detective controls may add value by identifying security events before they become an major incident. As detective controls can sometimes be cheaper or more broadly focused than preventive controls, it is important that security experts understand that incident response is part of information security and not necessarily a sign of failure of information security.

Finally, some (but not all) incidents may impact the reputation of the company or the brand value. For those incidents "saving money" may not be the main concern, but cost-effective security still is. Understanding the law of diminishing returns is crucial if prevention is your main option.
Danny Lieberman Putting it all together - we use a business threat modeling approach where there are business assets, threats, vulnerabilities and security countermeasures. Business assets have value, threats cause have a probability of occurrence and cause financial damage to the assets and countermeasures cost money. Once you have a dollar-based model like this - you can calculate Value at Risk, thereby creating a common language between the business decision makers and the security team.

Creating that common base for discussion, is I think where every organization needs to be.

More about quantifying asset value here --
Anthonie Ruighaver I agree, but then the real problem starts. How much security and what is the best strategy. And, how do you best cope with uncertainty.

I am, in particular, interested in the balance between preventive security and incident response. At the moment, there is no balance. It's all about prevention. And, trying to continuously plug holes in your preventive controls (for instance through pen testing) is the wrong strategy if the objective is to manage the cost of security.

So, if you have your dollar based model, consider how this model changes if you have adequate detection and incident response. Threat modeling will need to take into account existing security measures and the choice between prevention or early detection can have a dramatic impact on the cost-effectiveness of your security approach.
Pete Herzog I've had a lot of success "selling" security not as a safety feature but as an enabler. Without brakes, what you call a safety feature, a car for transportation or deliveries is worthless because it cannot efficiently or economically stop at the location you want and need to be. So once I start showing executives how what they know as just "security" also allows them to enter new frontiers, increase market channels, maintain employee efficiency, and increase competitiveness. These things are just not possible, let alone effective, if they can't keep control over their operations. An example I use is how they may use web analytics to control the effectiveness of their marketing campaigns. That information must be collected a certain way, uncorrupted, unbiased, un-influenced, and synergize with the marketing operation. The buzzwords are to make my point here ;) Otherwise, they won't know if they are wisely spending their money there. Well, it's the same for every other part of their operation. Security assures uncorrupted and unbiased efficiency, synergy, and manageability over their resources. Security is as important to business expansion as any other management or executive process. When I show this, they get it.
Danny Lieberman Pete,

I think you missed the part where I explained that CEOs already understand the benefits of security - they're just happier taking the risk rather than buying more security products and services.

Regarding your educating CEOs to the benefits of security - this is a proactive approach with low ROI. Why?

First of all, no one is paying you to give the CEO some important security insights.

Second, it's because you're selling the same security coolade as Oracle, IBM, ISACA and SAP. The only problem is that a security consultant doesn't sell a product, but bolt-on/after sale services - and you don't get margin on pre-sale advice.

Say a company uses Oracle Applications. You will note that the Oracle salesperson already used those same buzzwords in HER "value proposition" to the CEO/CIO/CFO/COO - "Oracle Applications ensures uncorrupted and unbiased efficiency, synergy, and manageability over your resources (that is why it's called an ERP - enterprise resource planning and management system).

And here is a quote straight from the Oracle BI web page:

Designed for scalability, reliability, and performance, Oracle Business Intelligence Enterprise Edition 11g delivers contextual, relevant and actionable insight to everyone in an organization, resulting in improved decision-making, better-informed actions, and more efficient business processes.

...An integrated systems management console provides superior scalability, high availability, and SECURITY benefits, while making upgrades and systems management effortless.

So - if you're a security consultant selling risk assessment, or training or pen testing -

a) you have to tell the CxOs something they haven't heard before &

b) Something they will understand

And that is tough, because you're standing in line behind Cisco, Oracle, Checkpoint and Microsoft so the basic security awareness is there.

The problem is not awareness but being able to make a business justification for investing in a particular security technology.

And as I explain in the article - that is a hard task indeed. Ask any salesperson in this space

Pete Herzog Danny, I actually agree with you that you shouldn't try to educate the sales target. I was just giving an example of how it could be used as an enabler. But I was thinking service and not product.

I also agree that I don't think the problem is their awareness at all but that their awareness is skewed. Whatever it is that you are selling they see it as something they already have even if you think it's different, better, and with more buttons. But they don't. In that case it's not about having a better product or even solving a problem you think they have because they don't see it that way. I think that's the real issue. Knowing that, it's possible to address this with the right approach for your cultural region.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.