Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/31/2019
02:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Quantifying Security Results to Justify Costs

The CISO job isn't to protect the entire business from all threats for any budget. It's to spell out what level of protection executives can expect for a given budget.

Most modern security programs are centered around "maturity" toward compliance to a security framework, or a subjective "expert" opinion. Neither of these approaches can justify security spend or deliver a meaningful protection-from-impact result. To justify security budget, CISOs need to be able to answer questions, such as:

  • Who can and cannot breach a crown jewel?
  • Is this level of protection justifiable?
  • What cost did we achieve this for, and is that cost reasonable?

To answer these questions, CISOs need quantifiable data and terms that influence costs and results because executives are results driven. They care much less about what security is doing, and much more about what they get in return for it. They want to know how differences in security spending quantifiably change the business's exposure to big impacts. For that reason, security professionals need to change the narrative from "security is a journey, not a destination" to "security is a chosen destination, with a justified journey to get and remain there."

Our starting point: Align protection "destinations" to assets that irrefutably matter to executives. Let's call these the crown jewels. Keep these easy to understand and in business terms. With well-chosen protection targets, the value of protecting them and the liability of not credibly doing so will be obvious. This way, you also don't need to rely on a cadre of quants using dubious data sets and computing probabilistic equations to produce "risk statements" that tell the board what they already know: They have a security risk exposure problem.

An annual report is a great source for target discovery as it typically states what matters most to the business. Generally, you'll want to consider how the business generates revenue (e.g., products and markets, income mechanisms, customer experience and satisfaction, and trade secrets that produce competitive advantage), sensitive operations like finance, human resources, and legal, and core operations such as facility access, email, accounts, and networks.

Now that you have established protection targets that are meaningful to executives, you need to manage the key dimensions that influence security cost. The first two are the quality and quantity of security. These directly impact the level of protection and the exposure to impact to be expected. The latter two affect the pace and the proficiency of security operations to deliver protection results.

How deep is our security quality? Threat actors aren't all equal. We know some are more sophisticated than others. The more advanced the threat actor, the more access to attack resources and methods they have. This makes them more complex to protect against because controls must implement more complex countermeasures.

How broad is our security scope and coverage? Attackers can breach an organization across many surfaces (e.g., Internet devices and applications, mobile devices, facilities, personnel, vendor supply chain). Leadership must consider how much security coverage they can apply to these assets. As we know from previous breaches, it's often the forgotten accounts, devices, etc., that are the key links in the breach chain. More scope and coverage will logically cost more, but it crucial to close the scope and coverage gap for a security program to be successful.

How quickly can we achieve protection targets? Security operations leverage expensive resources: people, technology, vendors, and even property. It's usually the case that if you want something done faster, you need to apply more resources sooner to get that result. Not only are you spending money sooner, you often must also pay more to get access to those resources sooner.

Are our resources and operations optimized? We don't have to be Six Sigma black belts to know that there is often a lot of irrelevance, ineffectiveness, and inefficiency in SecOps. Some even call it security theatre. There is usually considerable duplication of effort, missed opportunities to gain efficiencies of scale, and overbuilding some controls while underbuilding others. Most frustrating is the failure to leverage expensive people, technology, and vendor resources.

The CISO job isn't to protect the entire business from all threats for any budget. The successful CISO must spell out what business executives can expect for any given budget. That way, business executives and the board end up choosing the risk appetite on clear cost-benefit terms. The board may see that they can only justify protection up to, say, organized crime, but leave breach coverage from nation-state actors to insurance, for everything other than critical business crown jewels. The CISO benefit is that it doesn't matter how much security budget you have. By laying out clear protection strategies that quantify levels of protection against specific threats, you've put yourself, and your team in a position to succeed in a well-defined mission.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Cybersecurity's 'Moral Imperative.'"

Douglas Ferguson, a security professional of over 20 years, is the founder and CTO of Pharos Security. Pharos specializes in aligning security goals and strategy to the business and a calibrated risk appetite, ensuring an integrated business plan and optimized ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DouglasF354
50%
50%
DouglasF354,
User Rank: Author
11/7/2019 | 6:33:07 AM
Re: An old IBM rule comes to mind
I absolutely agree, and it's critical that this is well understood and appreciated in the security space. There are greater costs to gain greater confidence and greater 'control' of an asset inventory. And it's non linear. There is a big sweet spot that is typically relatively easy, obvious, to obtain, however, as you approach the edges it becomes increasing more expensive. And these costs are rarely appreciated/ factored in to security budgets effectively. And it's often in these edge cases where breach can occur, then spread with less obstruction.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/31/2019 | 2:19:20 PM
An old IBM rule comes to mind
Inventory control - the most a warehouse can hope to achieve is about 98% inventory compliance.  There will always be a bit of missed or mis-placed or stolen stuff.  To achieve that extra 2% would cost twice as much as the entire package.  So it is with security.  You can catch 98% of it with the right tools and budget but to be totally secure would be a budget buster.  If management wants that - they have to open the checkbook. 
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7989
PUBLISHED: 2020-01-26
Adive Framework 2.0.8 has admin/user/add userUsername XSS.
CVE-2020-7990
PUBLISHED: 2020-01-26
Adive Framework 2.0.8 has admin/user/add userName XSS.
CVE-2020-7991
PUBLISHED: 2020-01-26
Adive Framework 2.0.8 has admin/config CSRF to change the Administrator password.
CVE-2020-7984
PUBLISHED: 2020-01-26
SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information. The attacker can use a customer ID to self register and read any aspects of the agent/a...
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...