Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/31/2019
02:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Quantifying Security Results to Justify Costs

The CISO job isn't to protect the entire business from all threats for any budget. It's to spell out what level of protection executives can expect for a given budget.

Most modern security programs are centered around "maturity" toward compliance to a security framework, or a subjective "expert" opinion. Neither of these approaches can justify security spend or deliver a meaningful protection-from-impact result. To justify security budget, CISOs need to be able to answer questions, such as:

  • Who can and cannot breach a crown jewel?
  • Is this level of protection justifiable?
  • What cost did we achieve this for, and is that cost reasonable?

To answer these questions, CISOs need quantifiable data and terms that influence costs and results because executives are results driven. They care much less about what security is doing, and much more about what they get in return for it. They want to know how differences in security spending quantifiably change the business's exposure to big impacts. For that reason, security professionals need to change the narrative from "security is a journey, not a destination" to "security is a chosen destination, with a justified journey to get and remain there."

Our starting point: Align protection "destinations" to assets that irrefutably matter to executives. Let's call these the crown jewels. Keep these easy to understand and in business terms. With well-chosen protection targets, the value of protecting them and the liability of not credibly doing so will be obvious. This way, you also don't need to rely on a cadre of quants using dubious data sets and computing probabilistic equations to produce "risk statements" that tell the board what they already know: They have a security risk exposure problem.

An annual report is a great source for target discovery as it typically states what matters most to the business. Generally, you'll want to consider how the business generates revenue (e.g., products and markets, income mechanisms, customer experience and satisfaction, and trade secrets that produce competitive advantage), sensitive operations like finance, human resources, and legal, and core operations such as facility access, email, accounts, and networks.

Now that you have established protection targets that are meaningful to executives, you need to manage the key dimensions that influence security cost. The first two are the quality and quantity of security. These directly impact the level of protection and the exposure to impact to be expected. The latter two affect the pace and the proficiency of security operations to deliver protection results.

How deep is our security quality? Threat actors aren't all equal. We know some are more sophisticated than others. The more advanced the threat actor, the more access to attack resources and methods they have. This makes them more complex to protect against because controls must implement more complex countermeasures.

How broad is our security scope and coverage? Attackers can breach an organization across many surfaces (e.g., Internet devices and applications, mobile devices, facilities, personnel, vendor supply chain). Leadership must consider how much security coverage they can apply to these assets. As we know from previous breaches, it's often the forgotten accounts, devices, etc., that are the key links in the breach chain. More scope and coverage will logically cost more, but it crucial to close the scope and coverage gap for a security program to be successful.

How quickly can we achieve protection targets? Security operations leverage expensive resources: people, technology, vendors, and even property. It's usually the case that if you want something done faster, you need to apply more resources sooner to get that result. Not only are you spending money sooner, you often must also pay more to get access to those resources sooner.

Are our resources and operations optimized? We don't have to be Six Sigma black belts to know that there is often a lot of irrelevance, ineffectiveness, and inefficiency in SecOps. Some even call it security theatre. There is usually considerable duplication of effort, missed opportunities to gain efficiencies of scale, and overbuilding some controls while underbuilding others. Most frustrating is the failure to leverage expensive people, technology, and vendor resources.

The CISO job isn't to protect the entire business from all threats for any budget. The successful CISO must spell out what business executives can expect for any given budget. That way, business executives and the board end up choosing the risk appetite on clear cost-benefit terms. The board may see that they can only justify protection up to, say, organized crime, but leave breach coverage from nation-state actors to insurance, for everything other than critical business crown jewels. The CISO benefit is that it doesn't matter how much security budget you have. By laying out clear protection strategies that quantify levels of protection against specific threats, you've put yourself, and your team in a position to succeed in a well-defined mission.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Cybersecurity's 'Moral Imperative.'"

Douglas Ferguson, a security professional of over 20 years, is the founder and CTO of Pharos Security. Pharos specializes in aligning security goals and strategy to the business and a calibrated risk appetite, ensuring an integrated business plan and optimized ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DouglasF354
50%
50%
DouglasF354,
User Rank: Author
11/7/2019 | 6:33:07 AM
Re: An old IBM rule comes to mind
I absolutely agree, and it's critical that this is well understood and appreciated in the security space. There are greater costs to gain greater confidence and greater 'control' of an asset inventory. And it's non linear. There is a big sweet spot that is typically relatively easy, obvious, to obtain, however, as you approach the edges it becomes increasing more expensive. And these costs are rarely appreciated/ factored in to security budgets effectively. And it's often in these edge cases where breach can occur, then spread with less obstruction.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19338
PUBLISHED: 2020-07-13
A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is ...
CVE-2020-11749
PUBLISHED: 2020-07-13
Pandora FMS 7.0 NG <= 746 suffers from Multiple XSS vulnerabilities in different browser views. A network administrator scanning a SNMP device can trigger a Cross Site Scripting (XSS), which can run arbitrary code to allow Remote Code Execution as root or apache2.
CVE-2020-5766
PUBLISHED: 2020-07-13
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in SRS Simple Hits Counter Plugin for WordPress 1.0.3 and 1.0.4 allows a remote, unauthenticated attacker to determine the value of database fields.
CVE-2020-15689
PUBLISHED: 2020-07-13
Appweb before 7.2.2 and 8.x before 8.1.0, when built with CGI support, mishandles an HTTP request with a Range header that lacks an exact range. This may result in a NULL pointer dereference and cause a denial of service.
CVE-2019-4591
PUBLISHED: 2020-07-13
IBM Maximo Asset Management 7.6.0 and 7.6.1 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 167451.