Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

ISO ISO alternative to ROSI.

The security equivalent of Nietzsche has spoken, and ROSI is dead, although there are still some Monty Pythonesque security pundits who claim that it’s just pining for the fjords.  (Pining for the quantifiable risk management?)  I think the concept of a return on investment for security was mostly a management fad, born out of irrational exuberance on the part of security professionals who were trying to get to the C-level.  (And for the most part, some appear to have succeeded.)  But nobody talks about ROI for physical security, so I don’t think there was ever a chance for ROSI.

HOWEVER.  We still have a great need for a different measure:  effectiveness of security investment.

There are so many different ways to spend on security that nobody can come up with a formula.  (No, I don’t care about the 10% of IT rule; tell me how the 10% breaks down into a real line-item budget.)  Is it more effective to invest in personnel or in “enterprise security solutions”?  Are you really getting more bang for the buck by going open source whenever you can?  Once you’ve (presumably) solved the standard problems—you’ve bought antivirus, antispyware, antispam, and firewalls, and have them all tuned properly—where do you go from there?  If you take your security spend over five years (which is an eternity in security time, never mind Internet time), can you show a rational pattern there, or just a reactive one as new threats and new products came over the horizon?

The problem space breaks down in a couple of ways.  You have your line-item budget versus your performance-based budget.  Executives will understand the latter somewhat better than the former, but will still end up asking for the former as well; you might as well put them in a matrix together.  They want to know (1) what you’re buying, and (2) what you’re going to do with it, and why. 

How do you create performance-based budget categories?  My personal choices are in these areas:

  • maintaining security infrastructure (capital spending on hardware, software and maintenance)
  • maintaining compliance with existing requirements (legal, compliance and “best practice,“ whatever that is)
  • remediation (show me an organization that doesn’t spend on remediation, and I’ll show you a shop that’s been open less than a year, or is going to be open for less than a year)
  • training and awareness
  • developing solutions for new compliance and business requirements
  • incident response

Yes, there are a few problems with this, especially in the last two forward-looking categories.  That’s the other part of the problem space:  predictable costs versus unpredictable ones.  If you don’t know what your new business requirements are going to be, you don’t know whether the solution they need is going to involve you buying a new security product, or having real people rewrite or reconfigure what you already have.  And you can put a bit of a nest egg away to respond to incidents from a resource perspective (hired guns to come in and help with forensics, for example), but your management probably won’t let you sock away much.  Need I point out that covering the other costs of an incident (litigation, fines, notification, etc.) should come from the insurance part of your organization’s financial risk management?  That shouldn’t be your responsibility anyway. 

The biggest problem with security spend is trying to quantify the HR end.  Security activities take up time from just about everyone in IT to some extent, and unless you’re very determined and very controlling, you probably won’t capture that part.  Your best chance is to list any staff who are arguably dedicated to security activities, and then add the cost of any other security activities that you can put in the form of a project (remediation and new rollouts are best for these).

This is the point where you have some good charts for your executive management, but you still have to remind them that there is no Return at the end of the investment rainbow.  You just have to convince them that you’re buying the equivalent of the right safe for the right jewels, and explain the going rate for suitably trained bodyguards. 

Now, all we need is for someone to simplify things down that far, and we’ll be set!  rolleyes

Seriously, though, you can approach spending partly from a due diligence perspective (“everyone needs to have one of these”), but the rest of it is going to be based on your judgement of your organization’s particular risk profile:  what you’re protecting; whether it takes more people, processes or products to cover those particular things; where you’re weakest; and which hill your business is going to ask you to take next.

The hardest part, for me, is deciding whether I need the all-in-one coffee, espresso and tea-maker, or whether I can get by with one of those Bodum French presses and hope anybody who wants tea will be satisfied with a jar on a sunny windowsill.

 

 

Posted by shrdlu on Saturday, September 16, 2006
(4) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon
Page 1 of 1 pages