IT security managers have two basic problems: getting their managers to understand the need for security resources; and figuring out how to prioritize and spend the resources they already have.
Both problems could potentially be solved if security people spent a little less time thinking like IT experts and a little more time thinking like insurance experts, according to new report from the London School of Economics and McAfee.
The report, entitled "International Perspectives on Information Security Practices," was published late last week. (See McAfee Reports Fewer Experts.) Summaries of the document initially focused on its conclusions about the shortage of IT security experts, but an interview with McAfee CSO Martin Carmichael put the results in a different light.
The study, which summarizes the opinions of security executives in the financial services industry, shows many are frustrated with their inability to build a business case for security, and with the complex task of prioritizing multiple security goals and projects.
"What's fascinating is that they all have the same reason for being frustrated," Carmichael says. "It's that they are working too much with subjective data, and not enough with objective data."
Carmichael likens today's business environment to the construction industry of the 1800s. "In those days, people often didn't calculate the risks of putting in safety features into the construction because they saw the likelihood of a disaster as remote, and the cost of the safety features as too high."
But insurance companies changed that cost/benefit perception by creating actuarial data that cross-references the likelihood of an event, its potential costs to the owner, and the effectiveness of specific safety features in preventing the event from occurring. They then gave the incentive to construction firms and other businesses to implement the most effective safety features by offering implementers a discount on insurance premiums.
"Essentially, the construction and insurance industries created a bell curve that shows the risk you encounter if you follow certain practices," Carmichael says. If you're inside the bell curve, you have an acceptable level of risk. If you're outside it, then you know you need to consider making some changes."
Enterprises, and even industries, need to begin building a base of objective knowledge about the frequency of security events, the costs associated with those events, and the effectiveness of tools in preventing those events from occurring, Carmichael suggests. "Right now, tools can objectively tell you how many times your firewall has been hit, but that's not all that useful in evaluating risk."
"Most risk assessment today is done by highly-skilled individuals who work with a great deal of subjective data -- and whose knowledge is often lost when they leave the company," Carmichael observes. But if enterprises and industries began collecting and storing more objective data -- analogous to insurers' actuarial tables -- then they would be able to make more educated security decisions, he says.
"Imagine if security worked like insurance. You could tell your manager, 'We can spend $4,000 on this, and reduce risk by 14 percent, or we can spend $2,000 on that, and reduce risk by 7 percent,'" Carmichael says. Such a knowledge base would also help security managers prioritize the projects and technologies they want to deploy, because it would offer some data on the potential impact of specific technologies on the frequency of security events, he notes.
But could the security industry develop such a knowledge base, as the insurance industry did? It's possible, because compliance requirements are causing security managers in many different industries to come together on the guidelines for risk, Carmichael says.
"Think how much it would help compliance auditors if the enterprise could produce a bell curve that shows acceptable levels of risk, and how their systems fit under that curve," Carmichael says. "It would speed up the compliance process a great deal."
McAfee is working to develop products that would help enterprises collect this objective data and eventually build the knowledge base, says Carmichael, though he could not be more specific.
"We see the corollary between insurance and security as being an important one going forward," Carmichael says, "and the [London School of Economics] report confirms that something like this is what a lot of security managers need. It's all about managing risk."
Tim Wilson, Site Editor, Dark Reading