See also: Getting more bang for your cybersecurity buck
COMMENT ON THIS ARTICLE
Pity the benighted chief financial officer (CFO) – or at least try.
He presides, Solomon-like, over the purse-strings of his organization. All manner of internal departments compete for finite funds, all with urgent needs. Which projects will live, and which ones will die? These are the decisions he must make daily.
Arming senior IT executives with a rational, economic approach to allocating security funds is the aim of a new book, Managing Cybersecurity Resources: A Cost-Benefit Analysis by Lawrence A. Gordon and Martin P. Loeb, both professors of managerial accounting and information assurance at the University of Maryland.
Written in plain English, the book provides a framework for building compelling business cases that will warm the cockles of the CFO's heart.
When we first started doing this, people said it was voodoo economics, to which we politely replied, that's nonsense.Lawrence A. Gordon>Text
"We wanted to make these economic concepts accessible to the people who can make best use of them," says Gordon, who leads the academic team that reviews the annual Computer Security Institute (CSI) and FBI Computer Crime and Security survey. The book is based on seven years' research in an emerging field, the economic aspects of information security. "Organizations don't have infinite resources to allocate to any one thing. Cybersecurity is no different."
However, some claim cybersecurity is indeed in a different category, and thus beyond the purview of the dismal science. Gordon is unimpressed with such arguments. "When we first started doing this, people said it was voodoo economics, to which we politely replied, that's nonsense." There are some aspects of cybersecurity investment that make cost-benefit analysis difficult, he says, but it can and should be subject to the same scrutiny.
Cybersecurity projects are in an investment category called cost-savings projects, he explains. These are projects which, if done well, save the organization funds but don't generate new revenue. Gordon points out there are many other investments in this category, including IT itself. "Twenty-five years ago, people said using net present value (NPV) models to justify IT investment was also voodoo economics. But today, all major corporations use some form of NPV modeling to at least get a handle on the parameters."
What's unique about cybersecurity, he says, even within the realm of cost-savings projects, is that savings generated when the job is done well can't be observed. If a legacy computer system is replaced because the new one does a better job faster with fewer people, then the savings can be quantified. With security, expenditure is associated with the costs of breaches: losses due to theft of data, downtime, and so on. But the savings are ambiguous: how many cyber attacks are prevented by infosec measures? Or is the absence of attacks just dumb luck? Here we enter the realm of probability.