Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/11/2018
10:30 AM
Jack Jones
Jack Jones
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

How Well Is Your Organization Investing Its Cybersecurity Dollars?

The principles, methods, and tools for performing good risk measurement already exist and are being used successfully by organizations today. They take some effort -- and are totally worth it.

There's an old saying in marketing: "Half of your marketing dollars are wasted. You just don't know which half." This has become far less true in recent years for organizations that apply rigorous quantitative marketing analysis techniques.

Unfortunately, given common practices in cybersecurity today, you could update that old saying by substituting "marketing" with "cybersecurity" and have to wonder if it isn't accurate. At the very least, you'd have to decide how you'd defend that it isn't. For example, if I asked what the most valuable cybersecurity investment has been for your organization in the past three years, how would you answer?

How Do We Define Cybersecurity Value?
You can't reliably measure what you haven't clearly defined, so before we can have an intelligent conversation about cybersecurity value, we first have to clearly define what we mean. For this, I turn to the question I've heard executives ask many times over the years: "How much less risk will we have if we spend these dollars on cybersecurity?" Clearly, from their perspective (and it's their perspective that matters) cybersecurity value should be measured in how much less risk the organization faces.

Unfortunately, what I commonly see in board reports, budget justifications, and conference presentations is something different. Most of the time, as an industry we appear to lean on implicit proxies for measuring risk reduction — things like NIST CSF (National Institute of Standards and Technology Cyber Security Framework) benchmark improvements, credit-like scores, and higher compliance ratings. Don't get me wrong; these are useful directional references that generally mean an organization has less risk. The problem is that we don't know how much less risk, and the "how much" matters.

For example, if the overall NIS CSF score for your organization went from 2.5 to 2.9 last year, what does that 0.4 improvement mean in terms of risk reduction? Along the same lines, how much less risk comes from reducing the time to patch or shortening the time to detect a breach?

Measuring Risk Reduction
Everything we do in cybersecurity in some way affects, directly or indirectly, the probable frequency and/or magnitude of loss-event scenarios. That being the case, measuring the value of our efforts begins with clearly defining the loss-event scenarios we're trying to affect. At a superficial level, this often boils down to confidentiality breaches, availability outages, and compromises of data integrity. That level of abstraction isn't usually very useful in risk measurement though, so we need to be more specific.

A more reasonable level of specificity would include, for example, a confidentiality breach of which information, by which threat community, via which vector. At this level of abstraction, you can begin to evaluate the effect of cybersecurity controls on the frequency and magnitude of loss for that scenario.

If that sounds like more work than you're used to applying in risk measurement, it's not surprising. Most of what passes for risk measurement today is nothing more than someone proclaiming high/medium/low risk. 

Value Analysis
To drive my point home, let me share a high-level example from my past as a CISO.  The organization I worked for had huge databases containing millions of consumer credit card records. The Payment Card Industry standard called for data at rest encryption (DaRE), which at the time would have cost the organization well over a million dollars, required modifications to key applications, and taken over a year and a half to implement.

Rather than simply go to my executives with an expensive compliance problem, I took a couple of days to do the following:

  • Identify which loss-event scenarios DaRE was relevant to as a control.
  • Perform a quantitative risk analysis using Factor Analysis of Information Risk (FAIR) to determine how much risk we currently faced from these scenarios.
  • Perform a second analysis that estimated the reduction in risk if we implemented DaRE.
  • Identify a set of alternative controls that were also relevant to the same loss-event scenarios. (These controls cost a fraction as much as DaRE, didn't require application changes, and could be implemented in a few months.)
  • Perform a third analysis that estimated the reduction in risk if we implemented these alternative controls (which turned out to be a greater reduction in risk than DaRE).

The upshot is that I was able to go to my executives and the PCI auditor with options that included clearly described cost-benefit analyses. From their perspective, it was a no-brainer.

By not simply telling my executives that we had to bite the compliance bullet, the organization was able to save over a million dollars, avoid significant operational disruption, and reduce more risk in a shorter time frame.

The Bottom Line
Every dollar spent on cybersecurity is a dollar that can't be spent on the many other business imperatives with which an organization must deal. For this reason (and because we have an inherent obligation to be good stewards of our resources), we must be able to effectively measure and communicate the value proposition of our cybersecurity efforts.

Fortunately, the principles, methods, and tools for performing good risk measurement already exist and are being used successfully by organizations today. Do these analyses take more effort than proclaiming high/medium/low risk, or falling back on ambiguous metrics? Absolutely. Is the extra effort worthwhile? I'll answer based on my experience as a CISO — yes. It's not even close.

Related Content:

Jack Jones is one of the foremost authorities in the field of information risk management. As the Chairman of the FAIR Institute and Executive VP of Research and Development for RiskLens, he continues to lead the way in developing effective and pragmatic ways to manage and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
tcorbeill
50%
50%
tcorbeill,
User Rank: Apprentice
12/12/2018 | 8:38:02 AM
Security Instrumentation
Security Instrumentation provides empirical evidence regarding security investments that enables executives to define metrics to capture the ROI of their security investments with quantifiable, evidence-based data.
EdwardThirlwall
50%
50%
EdwardThirlwall,
User Rank: Moderator
1/9/2019 | 1:24:09 AM
More cybersecurity dollars
It would be a scary thought to know that your organisation is actually not investing enough in cybersecurity dollars. With the recent increase in data breaches, organisations ought to step up their game in order to prevent themselves and their employees from falling into hot soup. It could cost them even more should they fall in an unwanted cyberattack situation and it might just be too late.
StephenGiderson
50%
50%
StephenGiderson,
User Rank: Strategist
1/9/2019 | 5:24:36 AM
Proof of your money's worth
I think you will only know if you've invested your cyber security money properly when you don't have any incidents to speak of. If all of your data units are safe in storage in your facility and you don't see hackers trying to bring your systems down all the time, I reckon that that's a pretty good sign that you're doing a good job with the security you've set up...
jackfreund
50%
50%
jackfreund,
User Rank: Apprentice
11/5/2019 | 4:20:38 PM
Re: Proof of your money's worth
I think that's the goal right? No incidents ever. The problem is there's a fallacy that the if we only invested enough money and buy all the things then we can have no incidents. We don't live in a world we we are able to eliminate car accident deaths, but we pretend we can stop all incidents. Instead, we have to operate in an imperfect world with less than we'd like. Operating in that world requires a methodical approach to make sure we spread the resources we do have around the most efficient way.

 
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...
CVE-2020-5242
PUBLISHED: 2020-02-20
openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file whic...
CVE-2020-8601
PUBLISHED: 2020-02-20
Trend Micro Vulnerability Protection 2.0 is affected by a vulnerability that could allow an attack to use the product installer to load other DLL files located in the same directory.