Partner Perspectives  Connecting marketers to our tech communities.
11:45 AM
Tom Quillin
Tom Quillin
Partner Perspectives
Connect Directly

What Should Security Cost?

Understanding the economics of information security.

Isn’t it difficult to put a price tag on digital security? We can compare security budgets across our peers, calculate the cost of a security breach, and even estimate the probability of various threats, but we cannot definitively state that a specific amount of spending will make us perfectly secure.

In this age of seemingly ever-increasing risk, there is a lot of attention on security, as well as pressure to increase security spending. Economist Hal Varian, emeritus professor at UC Berkeley, compared security levels to medieval walls: You can spend more and more to make them taller and thicker, but the gates will always remain your weakest point.

The primary objective for security practitioners has historically been effectiveness. We measure effectiveness by tracking and comparing metrics such as percent of coverage, patch latency, percent of systems infected, or number of unpatched vulnerabilities. At Intel Security, we have added efficiency as an additional objective, incorporating metrics such as how long tasks take, how many resources, or what level of investment. Efficiency requirements exist not just to save money -- because even an unlimited budget will not make you 100% secure -- but because there are limits to the availability of experienced personnel and the amount of time you can afford to spend. Today’s security plans have to focus on resolving more problems faster and with more automation and fewer resources.

If this sounds like a classic “do more with less” exhortation, let’s look closer. We have developed a decision-making process to help prioritize the dollars and resources. We look at three main categories: alignment to business goals, identification of value drivers, and analysis of improvement opportunities.

First, we work with organizations to ground their security needs in business problems and goals. Here, we are not talking about problems like polymorphic malware or spear phishing, but issues such as lack of qualified staff, securing portions of our infrastructure in the cloud, increased use of personal devices and Web apps, or other specific department goals and objectives. This helps drive the process from the corporate or department strategic objectives, instead of solely from technical or financial ones.

We next define the mix of specific assets or resources that need to be managed, whether that is valuable data and information, dollars, hours, head count, or something more specific to the company. For example, it’s not uncommon for the security operations team to get sucked into a vicious cycle of audits, so that time spent on preparing for the next audit and dealing with requirements from the last one prevent a team from spending time on strategic efforts.

Finally -- and this is where the hard work comes in – we analyze and identify opportunities to improve efficiency over time, within the context of the overall goals. For example, a corporate goal might require improving availability or enabling business partners to quickly launch new customer-facing Web services. How does your security help contribute to those business goals? If your security team is stuck in reactive mode, looking at your staffing and operations model from an economics perspective can identify ways to create capacity for more strategic work. An economics-driven analysis may lead you to identify that reducing the overall number of security suppliers will result in fewer contracts, fewer support links to maintain, and a more tightly integrated security system.

Ultimately, an economics-driven analysis should free your existing team to operate at a higher level of performance, driving more strategic results for you and your business partners. In turn, this drives improvement in security posture and security effectiveness.

Over time, security economics enables security practitioners to speak the same language as our partners in the line of business and review goals and indicators with executives and boards of directors. “Do more with less” starts to sound not only possible, but exciting.

Tom Quillin is the Director of Cyber Security for Technologies and Initiatives at Intel Corp. He is responsible for identifying security risks, as well as contributing to product planning that addresses future security challenges. He also manages Intel's policy positions on ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.