Partner Perspectives  Connecting marketers to our tech communities.
11:45 AM
Tom Quillin
Tom Quillin
Partner Perspectives
Connect Directly

What Should Security Cost?

Understanding the economics of information security.

Isn’t it difficult to put a price tag on digital security? We can compare security budgets across our peers, calculate the cost of a security breach, and even estimate the probability of various threats, but we cannot definitively state that a specific amount of spending will make us perfectly secure.

In this age of seemingly ever-increasing risk, there is a lot of attention on security, as well as pressure to increase security spending. Economist Hal Varian, emeritus professor at UC Berkeley, compared security levels to medieval walls: You can spend more and more to make them taller and thicker, but the gates will always remain your weakest point.

The primary objective for security practitioners has historically been effectiveness. We measure effectiveness by tracking and comparing metrics such as percent of coverage, patch latency, percent of systems infected, or number of unpatched vulnerabilities. At Intel Security, we have added efficiency as an additional objective, incorporating metrics such as how long tasks take, how many resources, or what level of investment. Efficiency requirements exist not just to save money -- because even an unlimited budget will not make you 100% secure -- but because there are limits to the availability of experienced personnel and the amount of time you can afford to spend. Today’s security plans have to focus on resolving more problems faster and with more automation and fewer resources.

If this sounds like a classic “do more with less” exhortation, let’s look closer. We have developed a decision-making process to help prioritize the dollars and resources. We look at three main categories: alignment to business goals, identification of value drivers, and analysis of improvement opportunities.

First, we work with organizations to ground their security needs in business problems and goals. Here, we are not talking about problems like polymorphic malware or spear phishing, but issues such as lack of qualified staff, securing portions of our infrastructure in the cloud, increased use of personal devices and Web apps, or other specific department goals and objectives. This helps drive the process from the corporate or department strategic objectives, instead of solely from technical or financial ones.

We next define the mix of specific assets or resources that need to be managed, whether that is valuable data and information, dollars, hours, head count, or something more specific to the company. For example, it’s not uncommon for the security operations team to get sucked into a vicious cycle of audits, so that time spent on preparing for the next audit and dealing with requirements from the last one prevent a team from spending time on strategic efforts.

Finally -- and this is where the hard work comes in – we analyze and identify opportunities to improve efficiency over time, within the context of the overall goals. For example, a corporate goal might require improving availability or enabling business partners to quickly launch new customer-facing Web services. How does your security help contribute to those business goals? If your security team is stuck in reactive mode, looking at your staffing and operations model from an economics perspective can identify ways to create capacity for more strategic work. An economics-driven analysis may lead you to identify that reducing the overall number of security suppliers will result in fewer contracts, fewer support links to maintain, and a more tightly integrated security system.

Ultimately, an economics-driven analysis should free your existing team to operate at a higher level of performance, driving more strategic results for you and your business partners. In turn, this drives improvement in security posture and security effectiveness.

Over time, security economics enables security practitioners to speak the same language as our partners in the line of business and review goals and indicators with executives and boards of directors. “Do more with less” starts to sound not only possible, but exciting.

Tom Quillin is the Director of Cyber Security for Technologies and Initiatives at Intel Corp. He is responsible for identifying security risks, as well as contributing to product planning that addresses future security challenges. He also manages Intel's policy positions on ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.