Home > Intel Communities > Open Port IT Community > IT@Intel > Blog > Tags > roi
Up to Blog Posts in IT@Intel
1 2 3 Previous Next

IT@Intel Blog

42 Posts tagged with the roi tag
Matthew Rosenquist
0

Threat agents maintain the initiative and we respond to restore balance. The bad guys innovate, find exposures, and use technology which they can leverage to achieve their objectives.  They take the first step, set the tempo, and lead this wicked dance.  The security industry normally operates in a responsive manner, closing the door behind successful attacks to prevent further loss and scrambling to prepare for the next issue.  But every once in a while, the security community comes up with a predictive and proactive idea which has sweeping effects against attackers and their future likely methods, and we show true leadership in innovation.

 

These golden nuggets can change the initiative and give an advantage to the defenders. Sadly, it is rare.  In most instances it is difficult to justify expenditures for capabilities which may or may not interdict future potential attacks.  Our industry cannot confidently measure and substantiate such innovation to determine which will leapfrog us ahead of the bad guys and those which fail miserably.  Without clear value, those holding the purse strings are not very motivated to blindly invest.  It reverts back to the age old security problem of measuring attacks which are avoided.

 

How will we ever change our industry to support security taking back the initiative?  First we must devise a good way of measuring innovation.  We have much better metrics for how good the bad guys succeed, and are blind on how to measure the value of security ideas.  This must change in order to facilitate the financial support necessary for investment.  The value is there, we must adjust our focus to see the opportunity.  Otherwise, the enemy will maintain the advantage as we continue to follow behind the attackers, cleaning up messes, and forever responding to their ingenuity.

0 Comments Permalink Tags: threat, security, roi, value, rosi, information_security, intel_it, strategy, optimal, matthew_rosenquist, matthew, rosenquist, it, optimal_security, model, risk, it@intel
Matt Beckert
1

I was recently involved in a project where Intel IT SMEs from disciplines including Server, Storage, Data Center, Network, and Finance reviewed and updated our Data Center Strategy (Intel IT Data Center Solutions: Strategies to Improve Efficiency) for Intel IT.  The primary focus of the paper was to provide an update on value realized, shifts in strategy, and key execution lessons learned.

 

Our execution highlighted the need for finance to participate as an active partner in the influence planning and internal communications.  At some point, especially in economically challenging environments, cross organization investment decisions boil down to a tradeoff between limited resources and a number of good projects. Being able to clearly articulate the value added by a "portfolio of projects" (like the Data Center Strategy) and how you will track progress doesn’t mean that the project(s) will be funded – but it does increase the likelihood that you will be in the game at the end.  For us, having this coordinated communication strategy for technology solutions,cost efficiency, and operational efficiency was a key consideration for successful execution. 

 

We currently estimate that the cumulative projected financial impact over eight years will be ~$500-650M NPV - this range has changed in upper and lower limits based on updates to forecasts.  Over the first three years, Intel IT has realized ~31% of the projected benefits through execution to the Data Center strategy.  The primary value driver has been the impact of our server strategies (multi-core refresh and virtualization) that enable demand growth within the existing data center footprint and affordability targets.  Moving into 2010, we are evaluating new forecasting and value metrics to enhance customer reporting of data center activities.  This approach will incorporate our activity driver methodology into comprehensive unit costing and forecasting framework, creating a holistic cost forecasting process to improve future decision making.

 

One area currently under review is establishing the right unit of measure for a data center infrastructure housing different compute environments.  Is this something you or your business partners are exploring or looking to explore?

1 Comments Permalink Tags: data_center, intel_it, it@intel, virtualization, servers, roi, strategy, nehalem, xeon_5500, value
Matthew Rosenquist
2

Russell C Thomas delivers a great post on How to Value Digital Assets.  It covers many basics and more importantly gives a good direction to take while spotlighting common pitfalls in the valuation journey.


“This tutorial article presents one method aimed at helping line-of-business managers (”business owners” of digital assets) make economically rational decisions.  It’s somewhat simplistic, but it does take some time and effort.    Yet it should be feasable for most organizations if you really care about getting good answers.  Warning: No simple spreadsheet formulas will do the job.  Resist the temptation to put together magic valuation formulas based on traffic, unique visits, etc.”

 

Definitely a good read for anyone wondering where to start the valuation process.  I especially like the Three Principles section.  He makes a logical separation between assets which provide direct revenue (Class 1) and those which are in a support function (Class 2).

 

As follow-on, I believe some other aspects may be covered under the Class 2 section including liability avoidance, direct efficiency gain, life safety, and regulatory compliance.  In certain cases we must apply a different method to determine the value, outside what has been explained.  As management may be willing to replace or upgrade, but typically such investments must have a positive ROI, therefore they provide much more value than the replacement/repair costs.

 

Years ago I had a stimulating conversation with the late (and some would say infamous) Dr. Bill Hancock.  Bill had trudged through the information security swamps for decades and had a unique insight to valuations of vulnerable systems, particularly single-points-of-critical-failure.  He recanted his experience evaluating an airline’s security and discovery of a minor system which was largely ignored, a weights and balances server.  Apparently when planes take off, the distribution of weight must be calculated to insure they don’t become giant ‘lawn darts’ (Bill’s colorful description) at the end of the airfield.  A data integrity compromise of this system could cause catastrophic consequences, leading to the end of the business.  Who would fly on an airline which had several take-off crashes in a single day?  It would be the critical factor to likely cause the airline to no longer exist as a viable business.  Although this was a support system, the integral value was far beyond the cost of the equipment, software, and support.

 

Secondly, the blog is written with the assumption the assets are already in place.  Thus, in a perfect world, a proper ROI/justification has already been made to assist the decision to acquire and land these assets.  But what if a decision to purchase or not, is the objective?  The Class 2 method then becomes circular.  The value is the expenditure management is willing to invest?  How do they know?

 

Overall it is a great blog.  I think it would be helpful if the author could give an example for a medium sized enterprise, with particular focus on Class 2 areas (specifically security or safety assets).  Hopefully he is willing to post such details.

2 Comments Permalink Tags: security, roi, rosi, information_security, optimal_security, model, matthew, rosenquist, asset, value, risk, matthew_rosenquist, intel, it, it@intel
Matthew Rosenquist
0
With a painful taste of irony, it was recently reported that the Ministry of Defense's (MoD) manual explaining how to prevent leaks, was itself leaked. 

Source: The telegraph.co.uk

 

"The Defense Manual of Security is intended to help MoD, armed forces and intelligence personnel maintain information security in the face of hackers, journalists, foreign spies and others.  But the 2,400-page restricted document has found its way on to Wikileaks, a website that publishes anonymous leaks of sensitive information from organizations including governments, corporations and religions."

 

Is this a fluke or is the world suffering from abhorrent information security practices, culture, and capabilities? 

 

YES, the world is terrible at securing data!  Yes, you and I are part of the problem!  Yes it can be fixed, but it is unlikely unless dramatic steps are taken!

To hear my full rant and opinions, check out my blog/video "It is Time for a Data Security Revolution!"

Is data security really that bad?  What do you think?  Don't be shy.  YOUR data is at risk too.

 

 

 

It is Time for a Data Security Revolution!

0 Comments Permalink Tags: value, information_security, risk, it@intel, information, roi, rosi, intel, security, model, matthew, rosenquist, it, data, optimal_security, matthew_rosenquist
Jimmy Wai
0

Watch Diane Bryant, Intel CIO, talks about the cash machines in data centers in this press breifing. Haven't heard about the amazing cash machines for your data centers yet?! Better check it out now: Installing Cash Machines in your Data Center

0 Comments Permalink Tags: it@intel, xeon, performance, power, energy_efficiency, intel, virtualization, value, cost_savings, intel_it, it, cio, server, data_center, xeon_5500, roi, case_study, jimmy_wai
Jimmy Wai
0

At a recent event our CIO, Diane Bryant, talked about our continued plan to replace old servers in our Data Centers (http://www.tgdaily.com/content/view/44213/135/). Here is a summary of her key points:

  • Not replaceing servers could have costed Intel $19 million due to high maintenance and cooling cost
  • Our plan of refreshing old servers with Nehalem servers will save Intel $250 million over 8 years

 

If you are an IT manager looking at where you can find extra dollar in your IT budget to invest in new technology, new innovation and new competitive capability for your organization, this must be good news for you! Moreover, if you do nothing, you are opening a hole in your IT budget.

 

Here is a recent white paper and a video we published to discuss our server refresh strategy and how we are getting the cost benefit Diane Bryant shared:

Realizing Data Center Savings with an Accelerated Server Refresh Strategy

 

We have also developed a Server Refresh ROI estimator so you can calculater the amount of savings you can get from these cash machines:

http://www.intel.com/go/xeonestimator

 

If you ain't satisfied, here is a video showing you how to use the estimator!

 

Go and install those cash machines into your data centers now! 8-)

0 Comments Permalink Tags: intel_it, it, it@intel, jimmy_wai, roi, server, server_refresh, nehalem, data_center, data_center_cooling, data_center_power, virtualization, energy_efficiency, intel, case_study, value, cost_savings
Chris P_Intel
0

    Last week I had the opportunity to attend the CIO Forum held in conjunction with the Insight 2009 Annual Conference in Orlando, FL.  While being held adjacent to Disney’s theme park, the theme of this event was appropriately titled “Vision Voice Value”.


    I spent two days discussing best practices, sharing lessons learned from Intel IT and comparing notes and strategies with leading CIOs, IT Directors, Managers and Administrators in the Health Care profession.  Our focus? ways to deliver and articulate the business value of IT. I had the opportunity to:


    • participate in a roundtable discussion of ~15 Health Care CIOs titled “The value of IT in improving financial performance
    • present to 50-60 CIOs on the business value of server refresh
    • present to 20-30 IT Directors and Administrators on using the Xeon ROI tool as a way to justify server investment


    One of the most thought provoking questions at the CIO roundtable that has stuck with me is … “How does your CEO (or your business customers) view IT?”  … as a cost center (necessary evil) or as a value center (strategic enabler).  While no one directly answered this rhetorical question, it was clear that our collective mission is to migrate IT from cost center to value center.  This migration will not be immediate.  It happens over time.


    To enable this transformation from cost center to value center, we concluded that the accountability remains with IT, as IT professionals and CIOs must individually and collectively demonstrate business value through our investments and establish are relationship of IT predictability, trust and credibility with our business partners.   These are core themes I have seen very visibly inside Intel IT as I began my journey to the center of IT a few short months ago.


    My second observation from this event reinforces some personal experiences I have had working with many other IT professionals in the past several months.  With the global recession and it’s impacts to capital funding, the need to justify IT investment is greater than ever – and the competition internally for capital $ is very high.  We may never go back to the way it was.  We have seen this inside Intel IT’ organization as well and as a result, created at server refresh savings estimator tool to share what we learned in justifying our investment a proactive server refresh strategy in 2007 and staying committed to that investment in 2009.


    I demonstrated the server refresh savings estimator tool at the event to both the CIOs and IT Directors / Administrators and the feedback was very positive (“session was well worth my time”).   Prior to the event, I also had the opportunity to work with Deborah Gash (CIO for Saint Luke’s Health Services) and her staff.  Debe provided a glowing endorsement of the tool (Thanks Debe !!) after demonstrating the business value from a project already completed and the in intent to use it for several future projects. I invite you to learn more about why we created this tool and how to use it.  If you have a question or want to give us feedback on how to enhance it – just let me know with a comment on this blog.


    My final thought comes from a blog written by Don Sears at eweek.  Don discusses about the need for IT to be right, accurate, credible and trustworthy is so important whether you are working inside IT or with IT.  Credibility and Trust is something that is hard to gain and easy to lose … so it is easy to understand why being right is key to working with IT.  Getting it wrong can have huge consequences.


    Join us at IT@Intel and share your insights on our shared journey to transform IT from a cost center to a value center for business.  I look forward to hearing from you.


    Thanks, Chris

    If you like this, follow me on twitter

0 Comments Permalink Tags: it@intel, value, efficiency, cost, credibity, cost_savings, intel_it, it, business, cio, server, refresh, justify, investment, transform, eweek, chris_peters, roi
Chris P_Intel
0

I hate fixing the roof.  In fact, I have been postponing a roof repair over my garage for about 2 years now.  I recently read an article by Peter Kretzmen titled “IT, The CIO, and the Business Need for Roof Projects” and realized that while I can put off my roof repair, IT may not be able to postpone routine upgrades. 

 

For businesses, technology refresh is a standard business process (ie a roof fix).  The question for IT often boils down to WHEN I should upgrade, not IF. Why? … because hardware technology ages, maintenance costs rise, and software solutions can become unresponsive or obsolete as business needs change, user needs evolve and new technology and software become available. In this economy, cost is king and reducing IT costs has clearly become a critical imperative.

 

My colleagues in Intel IT recently conducted two separate and independent studies on how frequent we should refresh our PC fleet and data center servers.

 

PC Fleet Management:  John Mahvi and Avi Zarfaty from Intel IT recently wrote a paper titled “Using TCO to Determine PC Upgrade Cycles”.  The conclusion of this analysis showed that a 3.5 year refresh rate was optimal for total cost management in our IT environment.  Despite the fact that delaying PC refresh this year was initially seen as a cash conservation approach, the analysis showed that not refreshing older PCs increased the business’s overall costs.  As a beneficiary of PC refresh (I got a new laptop a month ago ), I can also personally attest that my productivity has gone up.

 

Data Center Efficiency:  Matt Beckert and Diane Boyington of Intel IT recently published a paper titled “Realizing Data Center Savings with an Accelerated Server Refresh Strategy”.  This paper discusses Intel IT’s movement to a proactive 4-year server refresh cadence in 2007 and illustrates both the long term savings (up to $250M over eight years) and immediate benefit to the corporate bottom line ($45M saved in 2008). After plans to refresh our servers was slowed earlier this year to preserve capital funds, a re-assessment was done that showed that Intel IT could save $19M by refreshing now vrs waiting until 2010.

 

Just like you shouldn’t sleep in a house with a leaking roof … it is prudent to not let old hardware create a hole in your IT budget. In today’s economic environment, Intel IT can’t afford a leaky roof and so we are moving forward with proactive business client PC and Server refresh, proven approaches to reduce TCO and boost business value.

 

Chris Peters, Intel IT

twitter @chris_p_intel

0 Comments Permalink Tags: chris_peters, client, cost_savings, intel_it, it, it@intel, value, strategy, datacenter, data_center, roi, tco, roof, business_value, pc_fleet, economy, it_strategy, server_refresh, pc_refresh, refresh
Laurie Buczek
3

For the last 18 months, Intel has invested a significant effort to develop a full strategy & implementation roadmap for social computing within the enterprise.  I am pleased to announce the release of a white paper Developing an Enterprise Social Computing Strategy that I did jointly with Malcolm Harkins, Chief of Information Security. The paper details our approach towards embracing the use of collaborative technologies while addressing the mitigation of legal, HR and governance issues.  Here are some key areas you will find detailed in the paper:

 

  • The business focus for social computing (also refer to: Why Intel is investing in Social Computing
  • Collaborative approach IT, HR and Information Security
  • Intel's integrated architecture
  • Intel's approach to determine early use cases, business value and vendor/solution evaluations
  • Results of a security risk assessment
  • Phased implementation plan
  • Initial results after 3-1/2 months into deployment & adoption

 

There are a lot of key takeaways within this paper.  The biggest one that I hope you will walk away with is:  Enterprise 2.0 is a challenging effort.  Yes, there are risks.  But Intel hasn't discovered any new risks introduced with 2.0 technologies that doesn't already exist with 1.0.  We believe the opportunities outweigh the risks. In fact, we are convinced that inaction carries much greater risks: that the enterprise will not realize the benefits that social computing can deliver, and that employees will increasingly turn to external, unsecured tools for communication.  IT has a leadership opportunity to get ahead of and deliver emerging platforms, at a fraction of the cost of "standard" collaborative infrastructure, to enable their business to stay one step ahead of the competition. 

 

I hope you enjoy the paper.  I welcome your perspectives and learning about that strategy that is yielding success for you.

3 Comments Permalink Tags: social_media, strategy, risk, intel_it, social_computing, social_networking, security, roi, laurie_buczek
Matthew Rosenquist
1

Telescope.jpgRisk metrics are the heart and soul of information security indicators.  An increasing proliferation of tools and assessments has emerged, attempting to quantify states of information security.  Given the nature of what is trying to be measured, this is arguably one of the toughest challenges in the metrics space.  The recent trend is for different bodies to develop and publish their own standards, which creates confusion regarding accuracy and applicability.  Why all the turmoil, competing models, and misalignment?  The sad story is (queue the somber violins) we just have not figured out how to measure information security risks very well.

 

I have seen and applied many different methods, audits, and evaluations with varying degrees of success and disappointment.  I have come to the following three basic conclusions:

  1. Current tools and methods lack maturity in this area, for both accuracy and comprehensiveness (and yes, I am guilty of contributing to the pool)
  2. No silver bullet exists.  A unified method, which provides a predictive overarching and detailed risk analysis, is unlikely.  Different approaches have their applicability.  Choose wisely 
  3. There is no replacement for a security professional’s brain.  From the selection of the analysis method, the gathering of relevant data, to the interpretation of the results, requires a seasoned security professional.  There is no substitute which can handle the ambiguity, chaos, and relational dependencies affecting the outcome


An example will help express some of the challenges.  The OCTAVE methodology, created by Carnegie Mellon University some years ago has been battle tested veteran in this role.  It is a qualitative to quantitative device which leverages the expertise of key people to give a numerical value of risk in their respective area.  Because personal bias and fears, the need to allow flexible ways of answering questions, and the varying degrees of base knowledge between the experts, results can vary greatly without even factoring in the changes occurring in the threat landscape.

 

Let me be clear, I am a fan and a longtime supporter.  However, it has its limitations.  I have developed several assessments based upon the model in a large environment.  As long as the limitations are accepted, it is applied where it leverages its strengths, and the process is rolled out properly, the results can be very valuable.

 

But don’t confuse value with precision.  I have observed the accuracy to be +/- 40% in complex organizations.  I believe this is largely due to multiple tiers of qualitative-to-quantitative analysis and the bias introduced at each level.  Credible sources have expressed a better +/- 20% accuracy for smaller implementations.  Although these numbers sound terrible, it is very good compared to other methods.  I have great respect for the chaps at Carnegie Mellon University who created the methodology.  Groups within our company have used a modified form of this approach, with advanced structures tailored to our computing ecosystem, for years with great success.  The low accuracy rate is not a poor reflection on the CMU model, rather it is a stark insight on how immature we are in this field.

 

So this is a sad story, but one which is not over.  A cadre of very bright people is working to tackle this problem.  In the short term, I expect to see many more methods, theories, templates, and standards emerge for specific situations.  In the end, I doubt if ever we will have a unified way to measure security risks, but I hold high hopes the best will be culled to a small number which can be applied to most situations and deliver reasonable metrics.

1 Comments Permalink Tags: openportpromo, rosi, roi, value, information_security, threat, measure, security, optimal_security, model, risk, matthew_rosenquist, matthew, rosenquist, metric
Matthew Rosenquist
0

Measuring the Return on Investment (ROI) of information security is challenging but not impossible.  It is important to understand the necessary components and how they interrelate.  In this brief video, I discuss one way of expressing value in relation to the positive impacts of security spending.

 

.

Video Length: 3:26 minutes

 

This video provides a high level explanation.  For more information regarding the challenges of information security ROI, please take a look at the following links:

The Problem of Measuring Information Security

How Security Programs Reduce Loss

Whitepaper - Measuring the Return on IT Security Investments

Are Security ROI Figures Meaningless?

BlogTalk Radio Discussion - The Problem of Measuring Security

BlogTalk Radio Discussion - Return on Security Investment – Intel Case Study

The Four Dirty Questions of Measuring Information Security

0 Comments Permalink Tags: optimal_security, roi, matthew_rosenquist, rosenquist, openportpromo, risk, security, value, rosi, information_security, model
Matt Beckert
0

Let me begin by way of introduction - I am a strategic financial analyst with Intel IT Finance organization focused on data center strategy and efficiency efforts.  This is my maiden voyage into the world of blogging, so I hope the topic is relevant and interesting to the audience.

Similar to many organizations, Intel IT is focused on constantly improving the cost of keeping the business running while not sacrificing the level of support required by customers.  With industry and technology solutions evolving at an increasing pace, choosing the most appropriate place and time to invest is paramount to driving down infrastructure costs.  Budget constraints in this economic climate and the make implementing efficiency efforts all the more daunting.

In 2008, Intel IT initiated a Design Server Refresh strategy where the basic premise was to leverage server performance improvements to respond to increasing compute requirements without growing data center capacity at a corresponding rate.  In 2008, we were able to remove 20,000 single core servers from our production environment, allowing us to realize approximately $45M savings through avoiding data center additions and server operating costs.  However, even with this strategy driving significant near term results, the 2009 operating environment forced us to pause and re-evaluate the merits of continuing execution to the strategy.

This re-evaluation concluded that this was an investment that couldn't be deferred due to the need for incremental growth and the high utilization of our existing data centers.  In addition, based on a average 10:1 consolidation, the refresh of single core servers would generate significant operating savings and clear more headroom than seen historically.  The details of this analysis are included in the White Paper:  Staying Committed to Server Refresh Reduces Cost

Questions for the readers: Do others have a refresh strategy or guideline? Are others seeing this type of impact/results and the challenges in implementation?

0 Comments Permalink Tags: it@intel, roi, cost_savings, model, strategy, value, intel_it, data_center
Matthew Rosenquist
1

I was recently trading thoughts with Anton Chuvakin, a respected security metrics professional, in a philosophical discussion of perfection and quality of security.  Admittedly, I was on auto-pilot (operating without the benefit of coffee) rattling away with my ‘Optimal Security’ rhetoric, when Anton posed two thought provoking questions: CAN one "mandate optimal security"?  How do you "mandate flexible"?

 

I was stopped in my tracks.  This got me thinking.  After fetching a tall cup of coffee to start my brain juices flowing in earnest, I reached back into the pages of history to come up with the following perspective and examples:

 

I believe, to a certain extent, we can mandate flexibility and optimization.  Surely we can act in ways which deny both.  So why can’t we act in a manner which intrinsically promotes them?

 

I think back to lessons of WWII and the Maginot line.  The French chose to create a fortification which was static by design and lacked mobility or a capability to adapt to changing enemy tactics.  They invested heavily into this control, which became the backbone of their country's eastern defense.  It was an appalling failure.  Alternatively, the German blitzkrieg, and the stratagems of both Rommel and Patton prevailed.  Flexibility through mobility was far more effective than an elaborate static defense.

 

I would argue that flexibility can be mandated through proper planning and design.  We have examples in the history of information security.  In the early years of Anti-Virus (AV) products, they were non-memory resident applications which were prescribed to be run once a week.  Updates were a rarity if at all.  That rigid design quickly lost effectiveness, with the rise in velocity of new malware.  AV vendors were forced to adapt.  The overall design has changed to one which is flexible, can be updated to meet emerging malware, and continuously runs in the background to provide persistent security.

 

Rigid security postures lack the ability to remain effective over time and are likely derived by an equally rigid infrastructure which will struggle to adapt to new threats and changes within the organization.  Create security to be flexible and you enable the service to keep up with the continual changes.

 

In general, design a system to be flexible and its longevity for effectiveness is extended.  Plan how systems can continuously adjust itself to align to what is 'optimal' and you increase the sustaining efficiency.

 

We must be strategic in our planning and design of security, lest we suffer the fate of France's Maginot line.

 


Check out Anton’s Blog for other thought provoking viewpoints; just be sure to have your coffee at the ready.

More on “Optimal security”:

Strategy for Sustaining Optimal Security

Information Security Defense In Depth Whitepaper is Now Available

Fortune Cookie Security Advice - June 2008

Defense In Depth Strategy Optimizes Security

The Four Dirty Questions of Measuring Information Security


What are your thoughts?  Rigid or Fluid?  Have you implemented optimal and flexible?

1 Comments Permalink Tags: model, risk, matthew_rosenquist, openportpromo, strategy, optimal, roi, rosi, information_security, matthew, security, value, optimal_security, rosenquist
Matthew Rosenquist
0

Optimal security must not only be attained, but also sustained over time.  A good security strategy must be forward thinking to understand how intervention and continual maintenance will be needed, then implement those capabilities as part of a complete service deployment.

 

Balance.gif

'Optimal Security' is the right balance of security spending and losses prevented where business acceptable losses are achieved.  It changes often and likely maintains different targets for the dissimilar parts of the entity.

 

Organizations are likely to mandate security expectations which typically manifests in a set of configurations, specifications, and operating standards.  The risk is these security controls may be relatively static and entrenched.

 

Establishing a baseline security is a good practice, but in order to remain effective it must adapt to changes in the environment by remaining dynamic to keep in lock-step with rapidly changing threats, vulnerabilities, and resulting exposures.  It must be a fluid posture, able to rapidly change based upon different internal priorities and external changes.  Sustaining business structure must be designed to continually predict areas needing modification and support design and deployment of those changes.  Rigid security postures lack the ability to remain effective over time and are likely derived by an equally rigid infrastructure which will struggle to adapt to new threats and changes within the organization.  Design security to be flexible and you enable the service to keep up with the continual changes in the information branch of security.

 

I recently spoke with an organization who had established a security posture which relied heavily on a hardened OS and application build for their systems.  At the time, they deployed a platform which took into consideration all the best configurations for hardening.  They were so confident they had satisfied security requirements they considered the problem solved.  They integrated the security design into their normal platform refresh cycle of system replacement every few years.  They never comprehended the fact they would need to continually update the build to compensate for changes in threats, new vulnerabilities and malware, and evolving business usage models.

 

The platform’s security, which initially was strong, began to quickly erode.  With no internal mechanism to identify when changes needed to be made, nor the testing and distribution capability, they soon found themselves in a situation where they were responding to individual incidents and changing systems one at a time based upon particular end-user needs.  This created inconsistencies in the builds which was more difficult to support.  Without proper forethought, the security team turned themselves into a firefighting organization, losing the initiative in the war of security.

 

This is one simple technical example.  The same holds true for the expanse of automated solutions and behavioral security controls as well.  Highly effective and efficient security strategies are forward thinking and understand how intervention and continual maintenance will be needed, then implement those capabilities as part of a complete service deployment.  Overall, the concept of ‘optimal security’ is one of fluid adaptations of controls to meet an ever changing target for risk acceptance.

0 Comments Permalink Tags: openportpromo, it, it@intel, strategy, model, rosi, matthew_rosenquist, information_security, corporate_security, intel_it, optimal_security, roi, security, value, risk, rosenquist
Matthew Rosenquist
4

Is the value of patch management decreasing?  Some experts say, due to a rise in privately held vulnerabilities, the value of patch management is eroding.  Others feel patching is losing the race and becoming too little and too late with the rapid development of attackers.  I too have chimed in on the topic and stated patching all vulnerabilities is not economical, as most are never widely exploited.  But does this mean we should be looking at alternate paths, away from patch management?  I stand firm in support of the end-node update concept, but take a slightly different view of the scope and value.

 

I see ‘patch management’ as the strategic capability of managing end nodes.  I consider the delivery of ‘patches’ as a broad term which includes OS, application, and hardware BIOS upgrades which can benefit the security posture of the device.  This includes and is akin to the widely accepted delivery of security product updates for anti-virus, anti-spyware, firewalls, etc.  Some of which are updated daily.

 

Attacks are constantly changing.  They normally take advantage of poor coding practices, use design functionality in unintended ways, or exploit avenues to misguided end-user judgment.  The ability to update systems is crucial to maintain security equilibrium.  It is a support function for systems to adapt to new threats.  This capability has a multitude of benefits, both strategic and tactical.  Being able to reach out to systems allows for a better understanding of the number, type, and usage of systems in the environment.  An effective system can paint a picture of systems at risk.  It is a sweeping means to close identified vulnerabilities in deployed code, which can reduce the exposure surface.  It can be used to respond to compromises and drive clean-up activities.  Such services can raise the general security level of a community and may drive to a more homogenous security stance, which strongly lends towards efficiency.

 

Mapping ‘patch management’ against a defense-in-depth model shows it allows for Prevention of exposure to known vulnerabilities where patches exist.  It can provide Detection capabilities to improve alerting of attempted as well as successful attacks.  Once systems are compromised, this Response function aids in the restoration of services back to a norm state.  The combination of indicators generated in these areas may assist in efficiency improvements and be used to comprehend future trends, therefore providing a potential Prediction opportunity

 

Overall, actively managing end-node security via ‘patch management’ is very important.  I doubt any serious security professional is advocating turning off all patch or remote system security updates.  The value may vary over time and across different systems, but we have a lot of control in how this capability evolves and the value it returns.  We are empowered to maximize the return on investment.

 

The question still remains, from a measures and metrics perspective, how best can we show and quantify the benefits, efficiency, and value.  The industry as a whole has yet been able to adequately or consistently tackle this challenge.  That discussion is fodder for another blog.

4 Comments Permalink Tags: patching, roi, matthew_rosenquist, it@intel, patch, strategy, value, rosi, information_security, risk, optimal_security, security, model, rosenquist, it, intel_it
1 2 3 Previous Next

Popular Blog Posts