Perimeter

12/11/2018
10:30 AM
Jack Jones
Jack Jones
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Well Is Your Organization Investing Its Cybersecurity Dollars?

The principles, methods, and tools for performing good risk measurement already exist and are being used successfully by organizations today. They take some effort -- and are totally worth it.

There's an old saying in marketing: "Half of your marketing dollars are wasted. You just don't know which half." This has become far less true in recent years for organizations that apply rigorous quantitative marketing analysis techniques.

Unfortunately, given common practices in cybersecurity today, you could update that old saying by substituting "marketing" with "cybersecurity" and have to wonder if it isn't accurate. At the very least, you'd have to decide how you'd defend that it isn't. For example, if I asked what the most valuable cybersecurity investment has been for your organization in the past three years, how would you answer?

How Do We Define Cybersecurity Value?
You can't reliably measure what you haven't clearly defined, so before we can have an intelligent conversation about cybersecurity value, we first have to clearly define what we mean. For this, I turn to the question I've heard executives ask many times over the years: "How much less risk will we have if we spend these dollars on cybersecurity?" Clearly, from their perspective (and it's their perspective that matters) cybersecurity value should be measured in how much less risk the organization faces.

Unfortunately, what I commonly see in board reports, budget justifications, and conference presentations is something different. Most of the time, as an industry we appear to lean on implicit proxies for measuring risk reduction — things like NIST CSF (National Institute of Standards and Technology Cyber Security Framework) benchmark improvements, credit-like scores, and higher compliance ratings. Don't get me wrong; these are useful directional references that generally mean an organization has less risk. The problem is that we don't know how much less risk, and the "how much" matters.

For example, if the overall NIS CSF score for your organization went from 2.5 to 2.9 last year, what does that 0.4 improvement mean in terms of risk reduction? Along the same lines, how much less risk comes from reducing the time to patch or shortening the time to detect a breach?

Measuring Risk Reduction
Everything we do in cybersecurity in some way affects, directly or indirectly, the probable frequency and/or magnitude of loss-event scenarios. That being the case, measuring the value of our efforts begins with clearly defining the loss-event scenarios we're trying to affect. At a superficial level, this often boils down to confidentiality breaches, availability outages, and compromises of data integrity. That level of abstraction isn't usually very useful in risk measurement though, so we need to be more specific.

A more reasonable level of specificity would include, for example, a confidentiality breach of which information, by which threat community, via which vector. At this level of abstraction, you can begin to evaluate the effect of cybersecurity controls on the frequency and magnitude of loss for that scenario.

If that sounds like more work than you're used to applying in risk measurement, it's not surprising. Most of what passes for risk measurement today is nothing more than someone proclaiming high/medium/low risk. 

Value Analysis
To drive my point home, let me share a high-level example from my past as a CISO.  The organization I worked for had huge databases containing millions of consumer credit card records. The Payment Card Industry standard called for data at rest encryption (DaRE), which at the time would have cost the organization well over a million dollars, required modifications to key applications, and taken over a year and a half to implement.

Rather than simply go to my executives with an expensive compliance problem, I took a couple of days to do the following:

  • Identify which loss-event scenarios DaRE was relevant to as a control.
  • Perform a quantitative risk analysis using Factor Analysis of Information Risk (FAIR) to determine how much risk we currently faced from these scenarios.
  • Perform a second analysis that estimated the reduction in risk if we implemented DaRE.
  • Identify a set of alternative controls that were also relevant to the same loss-event scenarios. (These controls cost a fraction as much as DaRE, didn't require application changes, and could be implemented in a few months.)
  • Perform a third analysis that estimated the reduction in risk if we implemented these alternative controls (which turned out to be a greater reduction in risk than DaRE).

The upshot is that I was able to go to my executives and the PCI auditor with options that included clearly described cost-benefit analyses. From their perspective, it was a no-brainer.

By not simply telling my executives that we had to bite the compliance bullet, the organization was able to save over a million dollars, avoid significant operational disruption, and reduce more risk in a shorter time frame.

The Bottom Line
Every dollar spent on cybersecurity is a dollar that can't be spent on the many other business imperatives with which an organization must deal. For this reason (and because we have an inherent obligation to be good stewards of our resources), we must be able to effectively measure and communicate the value proposition of our cybersecurity efforts.

Fortunately, the principles, methods, and tools for performing good risk measurement already exist and are being used successfully by organizations today. Do these analyses take more effort than proclaiming high/medium/low risk, or falling back on ambiguous metrics? Absolutely. Is the extra effort worthwhile? I'll answer based on my experience as a CISO — yes. It's not even close.

Related Content:

Jack Jones is one of the foremost authorities in the field of information risk management. As the Chairman of the FAIR Institute and Executive VP of Research and Development for RiskLens, he continues to lead the way in developing effective and pragmatic ways to manage and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
StephenGiderson
50%
50%
StephenGiderson,
User Rank: Apprentice
1/9/2019 | 5:24:36 AM
Proof of your money's worth
I think you will only know if you've invested your cyber security money properly when you don't have any incidents to speak of. If all of your data units are safe in storage in your facility and you don't see hackers trying to bring your systems down all the time, I reckon that that's a pretty good sign that you're doing a good job with the security you've set up...
EdwardThirlwall
50%
50%
EdwardThirlwall,
User Rank: Apprentice
1/9/2019 | 1:24:09 AM
More cybersecurity dollars
It would be a scary thought to know that your organisation is actually not investing enough in cybersecurity dollars. With the recent increase in data breaches, organisations ought to step up their game in order to prevent themselves and their employees from falling into hot soup. It could cost them even more should they fall in an unwanted cyberattack situation and it might just be too late.
tcorbeill
50%
50%
tcorbeill,
User Rank: Apprentice
12/12/2018 | 8:38:02 AM
Security Instrumentation
Security Instrumentation provides empirical evidence regarding security investments that enables executives to define metrics to capture the ROI of their security investments with quantifiable, evidence-based data.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Now, we come here to play Paw-ke Man Go!"
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6497
PUBLISHED: 2019-01-20
Hotels_Server through 2018-11-05 has SQL Injection via the controller/fetchpwd.php username parameter.
CVE-2018-18908
PUBLISHED: 2019-01-20
The Sky Go Desktop application 1.0.19-1 through 1.0.23-1 for Windows performs several requests over cleartext HTTP. This makes the data submitted in these requests prone to Man in The Middle (MiTM) attacks, whereby an attacker would be able to obtain the data sent in these requests. Some of the requ...
CVE-2019-6496
PUBLISHED: 2019-01-20
The ThreadX-based firmware on Marvell Avastar Wi-Fi devices allows remote attackers to execute arbitrary code or cause a denial of service (block pool overflow) via malformed Wi-Fi packets during identification of available Wi-Fi networks. Exploitation of the Wi-Fi device can lead to exploitation of...
CVE-2019-3773
PUBLISHED: 2019-01-18
Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
CVE-2019-3774
PUBLISHED: 2019-01-18
Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.