What Should Security Cost? Understanding the economics of information security.
Isn’t it difficult to put a price tag on digital security? We can compare security budgets across our peers, calculate the cost of a security breach, and even estimate the probability of various threats, but we cannot definitively state that a specific amount of spending will make us perfectly secure.
In this age of seemingly ever-increasing risk, there is a lot of attention on security, as well as pressure to increase security spending. Economist Hal Varian, emeritus professor at UC Berkeley, compared security levels to medieval walls: You can spend more and more to make them taller and thicker, but the gates will always remain your weakest point.
The primary objective for security practitioners has historically been effectiveness. We measure effectiveness by tracking and comparing metrics such as percent of coverage, patch latency, percent of systems infected, or number of unpatched vulnerabilities. At Intel Security, we have added efficiency as an additional objective, incorporating metrics such as how long tasks take, how many resources, or what level of investment. Efficiency requirements exist not just to save money -- because even an unlimited budget will not make you 100% secure -- but because there are limits to the availability of experienced personnel and the amount of time you can afford to spend. Today’s security plans have to focus on resolving more problems faster and with more automation and fewer resources.
If this sounds like a classic “do more with less” exhortation, let’s look closer. We have developed a decision-making process to help prioritize the dollars and resources. We look at three main categories: alignment to business goals, identification of value drivers, and analysis of improvement opportunities.
First, we work with organizations to ground their security needs in business problems and goals. Here, we are not talking about problems like polymorphic malware or spear phishing, but issues such as lack of qualified staff, securing portions of our infrastructure in the cloud, increased use of personal devices and Web apps, or other specific department goals and objectives. This helps drive the process from the corporate or department strategic objectives, instead of solely from technical or financial ones.
We next define the mix of specific assets or resources that need to be managed, whether that is valuable data and information, dollars, hours, head count, or something more specific to the company. For example, it’s not uncommon for the security operations team to get sucked into a vicious cycle of audits, so that time spent on preparing for the next audit and dealing with requirements from the last one prevent a team from spending time on strategic efforts.
Finally -- and this is where the hard work comes in – we analyze and identify opportunities to improve efficiency over time, within the context of the overall goals. For example, a corporate goal might require improving availability or enabling business partners to quickly launch new customer-facing Web services. How does your security help contribute to those business goals? If your security team is stuck in reactive mode, looking at your staffing and operations model from an economics perspective can identify ways to create capacity for more strategic work. An economics-driven analysis may lead you to identify that reducing the overall number of security suppliers will result in fewer contracts, fewer support links to maintain, and a more tightly integrated security system.
Ultimately, an economics-driven analysis should free your existing team to operate at a higher level of performance, driving more strategic results for you and your business partners. In turn, this drives improvement in security posture and security effectiveness.
Over time, security economics enables security practitioners to speak the same language as our partners in the line of business and review goals and indicators with executives and boards of directors. “Do more with less” starts to sound not only possible, but exciting.
Tom Quillin is the Director of Cyber Security for Technologies and Initiatives at Intel Corp. He is responsible for identifying security risks, as well as contributing to product planning that addresses future security challenges. He also manages Intel's policy positions on ... View Full Bio