Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/31/2019
02:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Quantifying Security Results to Justify Costs

The CISO job isn't to protect the entire business from all threats for any budget. It's to spell out what level of protection executives can expect for a given budget.

Most modern security programs are centered around "maturity" toward compliance to a security framework, or a subjective "expert" opinion. Neither of these approaches can justify security spend or deliver a meaningful protection-from-impact result. To justify security budget, CISOs need to be able to answer questions, such as:

  • Who can and cannot breach a crown jewel?
  • Is this level of protection justifiable?
  • What cost did we achieve this for, and is that cost reasonable?

To answer these questions, CISOs need quantifiable data and terms that influence costs and results because executives are results driven. They care much less about what security is doing, and much more about what they get in return for it. They want to know how differences in security spending quantifiably change the business's exposure to big impacts. For that reason, security professionals need to change the narrative from "security is a journey, not a destination" to "security is a chosen destination, with a justified journey to get and remain there."

Our starting point: Align protection "destinations" to assets that irrefutably matter to executives. Let's call these the crown jewels. Keep these easy to understand and in business terms. With well-chosen protection targets, the value of protecting them and the liability of not credibly doing so will be obvious. This way, you also don't need to rely on a cadre of quants using dubious data sets and computing probabilistic equations to produce "risk statements" that tell the board what they already know: They have a security risk exposure problem.

An annual report is a great source for target discovery as it typically states what matters most to the business. Generally, you'll want to consider how the business generates revenue (e.g., products and markets, income mechanisms, customer experience and satisfaction, and trade secrets that produce competitive advantage), sensitive operations like finance, human resources, and legal, and core operations such as facility access, email, accounts, and networks.

Now that you have established protection targets that are meaningful to executives, you need to manage the key dimensions that influence security cost. The first two are the quality and quantity of security. These directly impact the level of protection and the exposure to impact to be expected. The latter two affect the pace and the proficiency of security operations to deliver protection results.

How deep is our security quality? Threat actors aren't all equal. We know some are more sophisticated than others. The more advanced the threat actor, the more access to attack resources and methods they have. This makes them more complex to protect against because controls must implement more complex countermeasures.

How broad is our security scope and coverage? Attackers can breach an organization across many surfaces (e.g., Internet devices and applications, mobile devices, facilities, personnel, vendor supply chain). Leadership must consider how much security coverage they can apply to these assets. As we know from previous breaches, it's often the forgotten accounts, devices, etc., that are the key links in the breach chain. More scope and coverage will logically cost more, but it crucial to close the scope and coverage gap for a security program to be successful.

How quickly can we achieve protection targets? Security operations leverage expensive resources: people, technology, vendors, and even property. It's usually the case that if you want something done faster, you need to apply more resources sooner to get that result. Not only are you spending money sooner, you often must also pay more to get access to those resources sooner.

Are our resources and operations optimized? We don't have to be Six Sigma black belts to know that there is often a lot of irrelevance, ineffectiveness, and inefficiency in SecOps. Some even call it security theatre. There is usually considerable duplication of effort, missed opportunities to gain efficiencies of scale, and overbuilding some controls while underbuilding others. Most frustrating is the failure to leverage expensive people, technology, and vendor resources.

The CISO job isn't to protect the entire business from all threats for any budget. The successful CISO must spell out what business executives can expect for any given budget. That way, business executives and the board end up choosing the risk appetite on clear cost-benefit terms. The board may see that they can only justify protection up to, say, organized crime, but leave breach coverage from nation-state actors to insurance, for everything other than critical business crown jewels. The CISO benefit is that it doesn't matter how much security budget you have. By laying out clear protection strategies that quantify levels of protection against specific threats, you've put yourself, and your team in a position to succeed in a well-defined mission.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Cybersecurity's 'Moral Imperative.'"

Douglas Ferguson, a security professional of over 20 years, is the founder and CTO of Pharos Security. Pharos specializes in aligning security goals and strategy to the business and a calibrated risk appetite, ensuring an integrated business plan and optimized ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/31/2019 | 2:19:20 PM
An old IBM rule comes to mind
Inventory control - the most a warehouse can hope to achieve is about 98% inventory compliance.  There will always be a bit of missed or mis-placed or stolen stuff.  To achieve that extra 2% would cost twice as much as the entire package.  So it is with security.  You can catch 98% of it with the right tools and budget but to be totally secure would be a budget buster.  If management wants that - they have to open the checkbook. 
DouglasF354
50%
50%
DouglasF354,
User Rank: Author
11/7/2019 | 6:33:07 AM
Re: An old IBM rule comes to mind
I absolutely agree, and it's critical that this is well understood and appreciated in the security space. There are greater costs to gain greater confidence and greater 'control' of an asset inventory. And it's non linear. There is a big sweet spot that is typically relatively easy, obvious, to obtain, however, as you approach the edges it becomes increasing more expensive. And these costs are rarely appreciated/ factored in to security budgets effectively. And it's often in these edge cases where breach can occur, then spread with less obstruction.
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...
CVE-2020-5242
PUBLISHED: 2020-02-20
openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file whic...
CVE-2020-8601
PUBLISHED: 2020-02-20
Trend Micro Vulnerability Protection 2.0 is affected by a vulnerability that could allow an attack to use the product installer to load other DLL files located in the same directory.