Attendees at the recent Infosecurity Canada conference in Toronto got to hear a wide variety of opinions on how IT managers should go about selling security to the board. Other than the fact that security is still frequently a corporate afterthought, there was no consensus.
In a nutshell, buying security is like buying a cloud. You know it is there but until it rains (or you are attacked) you have no proof.
“We don’t know whether the amount we are spending on security actually reduces the risk,” said analyst Pete Lindstrom.
Risk reduction is assumed to be a given when IT security is beefed up, but in reality it is difficult to prove. Making a system more secure definitely makes it more difficult to hack. But it is almost impossible to calculate whether risk is actually reduced since, for example, better protected systems may actually attract more talented hackers. After all, talented thieves rarely knock over convenience stores.
Lindstrom, research director for Spire Security LLC, a Malvern, Penn.-based security focused analyst firm, gave a talk on the art of calculating return on security investment (ROSI). But even he admitted it is all “murky stuff.”
For example, an equation commonly used to calculate potential loss is called annual loss expectancy (ALE): where the ALE is equal to the probability of an occurrence times the value of the asset (ALE=PxA). If there is a 1 in 10,000 probability of a server worth a million dollars being corrupted, the ALE is $100. So, at the very least, a company should spend $100 a year protecting it.
“Those are great letters,” Lindstrom said. “But what the hell are the numbers?”
Jim Robbins agrees. “I think [using metrics] is an overrated mechanism,” said Robbins, president of Ottawa-based EWA-Canada Ltd. during a subsequent panel discussion.
Therein lies security’s biggest problem – subjectivity.
The actual probability of an occurrence is difficult to calculate. There are statistics available but their accuracy is open for debate. It is questionable exactly what percentage of companies answer surveys truthfully. It also depends on who is asked. CIOs may be blissfully unaware of many events, while most CEOs are unaware of all but the worst.
The cost of an event is also difficult to calculate given the level of interdependency between systems. Slow severs and squeezed bandwidth due to SQL Slammer will slow down employee access to the Internet, but at what cost?
Lindstrom likes to narrow his focus down to labour costs since they are much easier to calculate. If a blended threat (such as Code Red) requires IT workers drop what they are doing, there is an associated cost. Just calculating the hours spent fixing a problem is often enough to get senior management’s attention.
Another way to sell security is to focus on the cost of a specific failure.
Canada and the U.S. have stringent privacy laws (PIPEDA and HIPAA respectively), which allow for fines to be imposed on companies that divulge certain personal information. If corporate information is not secure, a company could be held liable.
“As soon as you have the lawyers and auditors involved, you have boardroom attention,” Robbins said.
Though he doesn’t use it often, fear can also be a great motivator, said Robert Garigue. “I don’t mind scaring people, it is really easy to do.” But he added a caveat: “You will (only) get money once.” Garigue, chief information security officer with the Bank of Montreal Financial Group in Toronto, said a common next step is to demand that security spending be a portion of the IT budget. This works for a while, he said, but it too has a finite life.
The key for long-term security success is to show value, not necessarily risk reduction or ROI.
“You have to really show improvement,” Garigue said. This could be anything from less downtime due to cyber attacks to an increase in security certified personnel.
Finally, those responsible for IT security should not report to the CIO. “It is the fox in the hen house,” said Gene McLean, the Edmonton-based chief security officer with Telus Communications Inc. He said when budgets are tight, “the first thing to go is security.”