The Problem with Pundits, Part I.
Don’t get me wrong: I get a lot of very useful perspectives, news and information from reading security blogs. But I’m starting to feel as if the high-level discussions slip a little too easily into platitudes and away from concrete solutions.
Take this frequently quoted gem from Avivah Litan at Gartner:
“A company with at least 10,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention and strong security audits combined,” Litan said in an accompanying statement. “Compare [that] with an expenditure of at least $90 per customer account when data is compromised or exposed during a breach,” she added.
Everyone and his DOG picked up on this (there are 298 Google hits on it as of this writing), and even though a few people argued with the figures, nearly everyone is nodding sagely and saying that money spent on prevention is more cost-effective than money spent on recovery.
What I want to know is, who even knows how to count up security dollars in the REAL world?
Let’s say you run any kind of shop where you have a dedicated IT security group. You’re trying to identify your spending on security. Let’s even say for the sake of argument that everything that isn’t detection and response counts as prevention.
What do you count as spending on security prevention?
• capital spending and maintenance on antivirus, anti-spyware, filtering, scanning, and any other kind of “dedicated” security software
• capital spending and maintenance on the servers to run these (assuming they’re dedicated)
• capital spending and maintenance on firewalls, IDSes, and other dedicated security appliances
• salaries for your dedicated security personnel
• identifiable security training
But that’s not all. Do you count these costs, too?
• spam filtering software
• log consolidation/processing software and hardware
• man-hours spent on installing upgrades and patches
• man-hours for awareness activities and training (for the trainees as well as the trainer), including training and support for encryption software
• man-hours spent on application security, including design and code reviews and QA testing
• man-hours spent on account administration
• man-hours spent responding to audits
• man-hours spent on business continuity planning and testing
• man-hours spent on asset tracking and disk sanitation
• legal fees for figuring out which OS security settings count as SOX compliance
This is all still “prevention,” remember. Can anyone REALLY demonstrate to me that incurring all these costs, and doing it right, would have been cheaper than the VA’s costs in responding to one unpredictable security incident? Because if anyone can tell me the VA’s true security spend on prevention, I’ll eat my copy of Quarterman’s book.
Yes, the VA hit the jackpot. They had to send out 26 million letters. The postage was probably more expensive than encryption software would have been. But that’s not a typical case, and just about everybody knows it.
Don’t be tempted to confuse “spending on prevention” with “insurance.” Insurance is what you buy to help you recover when your prevention fails. Insurers will not insure you unless they’re satisfied that you’re already spending enough on prevention. It’s not the same thing.
So don’t tell me what to spend unless you can tell me exactly what to spend it on. Don’t tell me to encrypt all my sensitive email unless you can explain to me how to encrypt mail to millions of external customers without buying them software, making them learn it, and managing millions of keys. Don’t tell me to stop using Social Security numbers unless you can tell me what to use instead when all the organizations I have to get data from are still using them as unique identifiers.
We need fewer Punditry Platitudes and more actual solutions. Avivah, thanks for nothing: you’ve done nothing to solve my problems except hand my bosses a paragraph that they’re going to wave at me and expect me to explain to them. Tell me instead how the hell you calculated that “per customer account” spend and how I calculate that for MY organization.
Meanwhile, I’m going back down to the Accounting department with a notepad and some thumbscrews.
Posted by shrdlu on Friday, July 14, 2006(0) Comments • Permalink •
