Partner Perspectives  Connecting marketers to our tech communities.
9/28/2016
09:48 AM
Tom Quillin
Tom Quillin
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
100%
0%

Beep Prepared: How Security Economics Can Help The Coyote Catch The Roadrunner

The practice of security economics demonstrates how gaps in the security architecture impair business results.

Acme Corp., fictional purveyor of fine products to the coyote in a relentless quest to catch the roadrunner, has found that cyberattacks are affecting its manufacturing processes and are at least partly to blame for repeated product failures in the field. They asked Intel Security to take a look at their operations and recommend ways to improve them.

Like many real-life organizations, Acme is experiencing cyberattacks that are getting nastier, taking longer to clean, and affecting multiple aspects of business operations. It knows that it needs to update its security systems, but it struggles to quantify what it takes to move forward. And -- just as importantly -- the company isn’t sure how to capture and quantify the benefits of its potential actions. Acme’s CFO is holding tight on the purse strings until the security team can provide a business case. Meanwhile, the clock ticks…

Does this sound like a familiar challenge to you?

For many of us in security, the conversation between us as technical experts and our non-technical colleagues can be frustrating. We have our top priorities: must-do, urgent actions that will advance our organization’s security. But sometimes it feels like our partners in finance or lines of business speak a different language.

The practice of security economics helps bridge that divide. Our practice at Intel Security started with building a process and methodology to use in conversations with security teams in any size businesses as well as government and other organizations.

Let’s go back to our fictional friends at Acme. Say Acme was suffering from advanced targeted attacks that were able to evade their existing defenses. Acme has implemented lots of tools from many different vendors, all with the best intentions. Frustratingly, though, Acme is still getting penetrated and, in spite of all the top quadrant products from the latest start-ups, Acme has limited visibility into what’s happening.

Acme’s CISO says she is driving focus on rapid remediation to get systems cleaned and returned to operation as quickly as possible. She has quotes from security vendors that have compelling technology to help her reduce infection rates. The problem? The CISO is struggling to get funding for her investment because her stakeholders see the situation as a security problem, not a business problem.

Our first step is a conversation with the team for data gathering. Turns out, Acme is suffering several dozen attacks per year. Most of the attacks are minor and can be remediated in two to four hours.

For the daily work involved for minor incidents, we estimate the cost for IT’s remediation work at about $100 per incident. But here’s the thing the security team forgets: Remediation has costs beyond the security team. For an endpoint machine, an end-user without a PC is a less productive end-user. So in our model, we want to make sure we are capturing the impact to Acme’s line of business teams. This becomes the key insight for our CISO to use in influencing her business partners to support funding her plan.

We determine that the productivity impact for end users is roughly equal to the impact on the security team. In other words, the number of hours consumed by infections is hurting Acme’s business (no wonder Road Runner keeps on winning!). The table summarizes the math.

Total scale of the problem

 

Minor infections per year

100

   

IT labor costs for minor incidents

IT hours to remediate

2-4

IT loaded hourly rate

$35

IT cost per incident

$100

   

End-user labor costs for minor incidents

End-user hours

4

User productivity loss

50%

User loaded hourly rate

$55

End user cost per incident

$110

   

Total cost/year for minor incidents

 

IT's staff costs for remediation

 $    10,000

End-user staff costs

11,000

 

 $    21,000

Solving this problem alone won’t justify the investment Acme’s CISO wants to make, but it does begin to help demonstrate how gaps in the security architecture impair business results. Next time, we’ll share some other examples of how we worked with Acme’s CISO to build a compelling business case for change. 

Tom Quillin is the Director of Cyber Security for Technologies and Initiatives at Intel Corp. He is responsible for identifying security risks, as well as contributing to product planning that addresses future security challenges. He also manages Intel's policy positions on ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cybersecurity Must Be an International Effort
Kelly Sheridan, Associate Editor, Dark Reading,  12/6/2017
NIST Releases New Cybersecurity Framework Draft
Jai Vijayan, Freelance writer,  12/6/2017
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.