The Economic Return of Security

1
The Economic Return of Security

• Bob Lonadier, CISSPRCL Associates

2
Agenda

• The sad state of security spending
• The underlying problem
• Why the current economic models are inadequate
• What to do about it
• QA

3
The Sad State of Security Spending

• Companies spend a lot on security, but they
  arent more secure.
• Spending increases (both absolute and relative to
  IT spending) dont result in more security
• Most incremental spending goes toward dealing
  with the complexity created by the previous
  security investment
• Insecurity abounds

4
The Security Return Problem
Cost
1/ Security
5
The Underlying Problem

• Why justifying security is difficult
• The management view
• The view from the trenches

6
Attempts at Justifying Security Investment

• The ROI model
• The risk management model
• Other models

7
ROI Necessary but Insufficient?

• According to Hurwitz Groups e-Mentor PRO Study
  2000
• 77 of enterprises use ROI to evaluate e-Business
  solution purchases
• The largest companies use ROI the most 94 of
  companies with annual revenues of 10 billion or
  more
• According to a 1999 survey by Cambridge
  Information Network of over 1,400 CIOs and senior
  IT executives ROI analysis is typically a
  political prerequisite to get an IT investment
  approved.
• However, this same study found that while 91 of
  respondents consider cost savings as key results
  from ROI, 65 consider revenue creation an
  important factor.

8
The Shortcomings of ROI

• The self-serving aspects
• The measurement problem
• The challenge in reducing cost without increasing
  risk

9
The Risk Management Model

• Average loss expectancy (ALE) impact of event
  ? frequency of occurrence
• Invest in security where incremental cost ?
  incremental reduction in ALE
• Outsource (insure) where incremental cost ?
  incremental reduction in ALE

10
The Four Risk Actions

• Accept it
• Ignore it (accept it)
• Assign it to someone else (insure against or
  outsource it)
• Mitigate it (reduce it)

11
The Challenges of the Risk Management Model

• Qualifying risk
• Information security risk vs. Business risk
• Quantifying risk
• Measuring risk well (and over time)
• Reducing risk
• Risk management in an era of uncertainty
• Diversifying risk
• The insurance model why it falls short

12
An Uptime Approach to Security
Availability
1/ Security
13
Why The Current Approaches are Inadequate

• They cannot answer how much security spending do
  I need?
• They cannot effectively manage or diversify risk
  efficiently
• Security outsourcing vs. hacker insurance
• They cannot answer When am I secure (enough)?

14
The Security Treadmill
15
A New Approach Towards the Economic Return on
Security

• Security as a process, not an outcome
• Business processes vs. IT processes
• Re-developing security awareness
• Security as a teaching tool
• Security and the learning organization
• Security awareness as a barometer for corporate
  health

16
Is Security Free?

• Security can be a by-product of business process
  improvement (BPI)
• But, nobody really knows how to make the
  connection
• So, its really difficult to think about it those
  terms (given the status quo)

17
Next Steps

• Break the (in)security-return cycle
• Dont look for return where there is none
• Restore security as a process
• Map it to the business needs of the firms
• Evaluate from the perspective of total quality
  management (TQM)

18
How?

• Vendor Track
• Reject conventional security ROI
• Demonstrate value add to the process
• Management Track
• Educate, educate, educate
• Use security awareness (or lack thereof) as a
  proxy for corporate dysfunction

19
Questions?