The Economic Return of Security - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

The Economic Return of Security

Description:

The Economic Return of Security Bob Lonadier, CISSP RCL & Associates Agenda The sad state of security spending The underlying problem Why the current economic models ... – PowerPoint PPT presentation

Number of Views:76
Avg rating:3.0/5.0
Slides: 20
Provided by: Robert2431
Category:

less

Transcript and Presenter's Notes

Title: The Economic Return of Security


1
The Economic Return of Security
  • Bob Lonadier, CISSPRCL Associates

2
Agenda
  • The sad state of security spending
  • The underlying problem
  • Why the current economic models are inadequate
  • What to do about it
  • QA

3
The Sad State of Security Spending
  • Companies spend a lot on security, but they
    arent more secure.
  • Spending increases (both absolute and relative to
    IT spending) dont result in more security
  • Most incremental spending goes toward dealing
    with the complexity created by the previous
    security investment
  • Insecurity abounds

4
The Security Return Problem
Cost
1/ Security
5
The Underlying Problem
  • Why justifying security is difficult
  • The management view
  • The view from the trenches

6
Attempts at Justifying Security Investment
  • The ROI model
  • The risk management model
  • Other models

7
ROI Necessary but Insufficient?
  • According to Hurwitz Groups e-Mentor PRO Study
    2000
  • 77 of enterprises use ROI to evaluate e-Business
    solution purchases
  • The largest companies use ROI the most 94 of
    companies with annual revenues of 10 billion or
    more
  • According to a 1999 survey by Cambridge
    Information Network of over 1,400 CIOs and senior
    IT executives ROI analysis is typically a
    political prerequisite to get an IT investment
    approved.
  • However, this same study found that while 91 of
    respondents consider cost savings as key results
    from ROI, 65 consider revenue creation an
    important factor.

8
The Shortcomings of ROI
  • The self-serving aspects
  • The measurement problem
  • The challenge in reducing cost without increasing
    risk

9
The Risk Management Model
  • Average loss expectancy (ALE) impact of event
    ? frequency of occurrence
  • Invest in security where incremental cost ?
    incremental reduction in ALE
  • Outsource (insure) where incremental cost ?
    incremental reduction in ALE

10
The Four Risk Actions
  • Accept it
  • Ignore it (accept it)
  • Assign it to someone else (insure against or
    outsource it)
  • Mitigate it (reduce it)

11
The Challenges of the Risk Management Model
  • Qualifying risk
  • Information security risk vs. Business risk
  • Quantifying risk
  • Measuring risk well (and over time)
  • Reducing risk
  • Risk management in an era of uncertainty
  • Diversifying risk
  • The insurance model why it falls short

12
An Uptime Approach to Security
Availability
1/ Security
13
Why The Current Approaches are Inadequate
  • They cannot answer how much security spending do
    I need?
  • They cannot effectively manage or diversify risk
    efficiently
  • Security outsourcing vs. hacker insurance
  • They cannot answer When am I secure (enough)?

14
The Security Treadmill
15
A New Approach Towards the Economic Return on
Security
  • Security as a process, not an outcome
  • Business processes vs. IT processes
  • Re-developing security awareness
  • Security as a teaching tool
  • Security and the learning organization
  • Security awareness as a barometer for corporate
    health

16
Is Security Free?
  • Security can be a by-product of business process
    improvement (BPI)
  • But, nobody really knows how to make the
    connection
  • So, its really difficult to think about it those
    terms (given the status quo)

17
Next Steps
  • Break the (in)security-return cycle
  • Dont look for return where there is none
  • Restore security as a process
  • Map it to the business needs of the firms
  • Evaluate from the perspective of total quality
    management (TQM)

18
How?
  • Vendor Track
  • Reject conventional security ROI
  • Demonstrate value add to the process
  • Management Track
  • Educate, educate, educate
  • Use security awareness (or lack thereof) as a
    proxy for corporate dysfunction

19
Questions?
Write a Comment
User Comments (0)
About PowerShow.com