Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/31/2019
02:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Quantifying Security Results to Justify Costs

The CISO job isn't to protect the entire business from all threats for any budget. It's to spell out what level of protection executives can expect for a given budget.

Most modern security programs are centered around "maturity" toward compliance to a security framework, or a subjective "expert" opinion. Neither of these approaches can justify security spend or deliver a meaningful protection-from-impact result. To justify security budget, CISOs need to be able to answer questions, such as:

  • Who can and cannot breach a crown jewel?
  • Is this level of protection justifiable?
  • What cost did we achieve this for, and is that cost reasonable?

To answer these questions, CISOs need quantifiable data and terms that influence costs and results because executives are results driven. They care much less about what security is doing, and much more about what they get in return for it. They want to know how differences in security spending quantifiably change the business's exposure to big impacts. For that reason, security professionals need to change the narrative from "security is a journey, not a destination" to "security is a chosen destination, with a justified journey to get and remain there."

Our starting point: Align protection "destinations" to assets that irrefutably matter to executives. Let's call these the crown jewels. Keep these easy to understand and in business terms. With well-chosen protection targets, the value of protecting them and the liability of not credibly doing so will be obvious. This way, you also don't need to rely on a cadre of quants using dubious data sets and computing probabilistic equations to produce "risk statements" that tell the board what they already know: They have a security risk exposure problem.

An annual report is a great source for target discovery as it typically states what matters most to the business. Generally, you'll want to consider how the business generates revenue (e.g., products and markets, income mechanisms, customer experience and satisfaction, and trade secrets that produce competitive advantage), sensitive operations like finance, human resources, and legal, and core operations such as facility access, email, accounts, and networks.

Now that you have established protection targets that are meaningful to executives, you need to manage the key dimensions that influence security cost. The first two are the quality and quantity of security. These directly impact the level of protection and the exposure to impact to be expected. The latter two affect the pace and the proficiency of security operations to deliver protection results.

How deep is our security quality? Threat actors aren't all equal. We know some are more sophisticated than others. The more advanced the threat actor, the more access to attack resources and methods they have. This makes them more complex to protect against because controls must implement more complex countermeasures.

How broad is our security scope and coverage? Attackers can breach an organization across many surfaces (e.g., Internet devices and applications, mobile devices, facilities, personnel, vendor supply chain). Leadership must consider how much security coverage they can apply to these assets. As we know from previous breaches, it's often the forgotten accounts, devices, etc., that are the key links in the breach chain. More scope and coverage will logically cost more, but it crucial to close the scope and coverage gap for a security program to be successful.

How quickly can we achieve protection targets? Security operations leverage expensive resources: people, technology, vendors, and even property. It's usually the case that if you want something done faster, you need to apply more resources sooner to get that result. Not only are you spending money sooner, you often must also pay more to get access to those resources sooner.

Are our resources and operations optimized? We don't have to be Six Sigma black belts to know that there is often a lot of irrelevance, ineffectiveness, and inefficiency in SecOps. Some even call it security theatre. There is usually considerable duplication of effort, missed opportunities to gain efficiencies of scale, and overbuilding some controls while underbuilding others. Most frustrating is the failure to leverage expensive people, technology, and vendor resources.

The CISO job isn't to protect the entire business from all threats for any budget. The successful CISO must spell out what business executives can expect for any given budget. That way, business executives and the board end up choosing the risk appetite on clear cost-benefit terms. The board may see that they can only justify protection up to, say, organized crime, but leave breach coverage from nation-state actors to insurance, for everything other than critical business crown jewels. The CISO benefit is that it doesn't matter how much security budget you have. By laying out clear protection strategies that quantify levels of protection against specific threats, you've put yourself, and your team in a position to succeed in a well-defined mission.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Cybersecurity's 'Moral Imperative.'"

Douglas Ferguson, a security professional of over 20 years, is the founder and CTO of Pharos Security. Pharos specializes in aligning security goals and strategy to the business and a calibrated risk appetite, ensuring an integrated business plan and optimized ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DouglasF354
50%
50%
DouglasF354,
User Rank: Author
11/7/2019 | 6:33:07 AM
Re: An old IBM rule comes to mind
I absolutely agree, and it's critical that this is well understood and appreciated in the security space. There are greater costs to gain greater confidence and greater 'control' of an asset inventory. And it's non linear. There is a big sweet spot that is typically relatively easy, obvious, to obtain, however, as you approach the edges it becomes increasing more expensive. And these costs are rarely appreciated/ factored in to security budgets effectively. And it's often in these edge cases where breach can occur, then spread with less obstruction.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/31/2019 | 2:19:20 PM
An old IBM rule comes to mind
Inventory control - the most a warehouse can hope to achieve is about 98% inventory compliance.  There will always be a bit of missed or mis-placed or stolen stuff.  To achieve that extra 2% would cost twice as much as the entire package.  So it is with security.  You can catch 98% of it with the right tools and budget but to be totally secure would be a budget buster.  If management wants that - they have to open the checkbook. 
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.
CVE-2019-19230
PUBLISHED: 2019-12-09
An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code.