In the first part of this discussion, “Walking the Talk,” we concluded that the lamentable state of a typical enterprise security strategy is a result of uncoordinated investment in their security ecosystem.
In fact, if you want to understand the reactive way most enterprises handle data security, the Whac-a-Mole game can help you visualize the process. When a company security ecosystem is breached, the company directs money toward fixing the breach and seeing that it works. If the breach is severe or embarrassing, the CIO or CISO is asked to “do the right thing.” The company repeats this process as often as needed.
In short, most enterprises don’t seem to have any semblance of a cohesive, security strategy.
Smoke and Mirrors
When I started to understand how companies typically fund security, I kept hoping my conclusions were wrong. Unfortunately, the deeper I looked, the more obvious it became that there’s a paradox between the typical hysteria surrounding security breaches and what companies are actually willing to spend to prevent them.
Let’s take a look at Figure 1, which shows what most companies spend on data security.
Figure 1: Median Security Spending
On average, CISOs are allocated a consistent 2 percent of their organizations’ IT budgets for security spending. If IT budgets are dropping, then we can conclude that associated security budgets may be dropping as well, in real dollars.
Some caveats to this conclusion are appropriate:
- First, it’s important to recognize that security budgets vary by industry vertical, and size of the company.
- Also, there may be elements of security spending that are buried in specific projects and not visible as this data is collected.
- Over time, the more mature the enterprise’s security strategy, the more they spend on security.
To be completely fair, Gartner’s Research Note titled: IT Security Budgets and Staffing Projections for 2012: Constant Demand and Constant Spending that was published March 8, 2012, shows a higher level of median security spending in surveys of its customers. However, it also indicates that security is ranked as a very low priority for CIOs in 2012 (No. 10 out of 11 categories).
This all seems very puzzling. To my knowledge, no group or professional body suggests we’re winning the security wars, yet related enterprise budgets and priorities strongly suggest that security is, at best, overhyped or, at worse, not a real business priority.
To successfully confront cloud security, we need to understand and resolve the paradox between the need to mitigate security risk and the investment companies are prepared to contribute to it. Towards that end, let’s look at Figure 2.
Figure 2: Security Investment Paradox
First, understand that the concept behind the Security Investment Paradox is a work in progress. One component of the curve focuses on the popular perception that your first investment dollar gives you more than your last investment dollar. Thus, a CFO or LOB could rationalize that they are getting “good enough” security for what they could afford to spend. Arguably, this approach may have been acceptable when the enterprise was a self-contained security framework (i.e., in pre-cloud days), but it is absolutely not sustainable when you’re relying on others to provide security coverage.
The second concept in the model is that the two points on the curve (Affordable and Actually Needed) were both defined by factors largely outside the decision-maker’s scope. The difference between the two represents the inconsistencies between securities spending and adequately addressing the threat.
Throwing money at the issue by buying more signatures or more capable IDS isn’t as important as understanding the impact of various mitigation steps such as:
- Employee education
- Understanding your control bypass rate
- Developing a security strategy
Measuring the Value of Security Investments
To begin to understand how to best invest in cloud security frameworks, you must recognize three rules:
- Security solutions add no intrinsic value to your business unless you can demonstrate savings, cost avoidance, and improved user experience.
- Security return on investment doesn’t follow the classic bell curve model that your CFO or LOB groups associate with hardware and software purchase. Expect push-back.
- Breach exposure—categorized as malware, hacking, social, misuse, error, physical, and environmental—occurs across your entire defensive perimeter (i.e., data center, communications, end-user devices). To invest wisely in your defense strategy, you must understand the who, what, which, and how of these breaches and the related bypass rates.
Next, you must define risk and your defense layers. As discussed in our last post, enterprise risk is a simple concept comprised of acceptance and management. Unfortunately, you can’t affordably protect everything and you certainly can’t protect everything well once it moves to the cloud.
Almost 50 years ago, McGeorge Bundy, an advisor to President Kennedy, observed a tendency to protect all information as if were top secret.
“The moment we start guarding our toothbrushes and our diamond rings with equal zeal,” he said, “we usually lose fewer toothbrushes and more diamond rings.” It seems this observation still has value.
In my next blog, I begin to explore the business issues surrounding security and introduce a means for you to approach security using an investment framework in use at Intel.
Please join me as I explore the topic of cloud security across upcoming blogs. For now, and reserving the right to add or modify these topics as we move forward, here are the areas I’ll address in the coming months:
- Current State Security
- Security as a Factor of Cost
- Business Issues Surrounding Security
- Evaluating New-World Security Model Investments
- Security, Data Architecture and Big Data
- Defense in Depth
I’m interested in feedback regarding how your organization funds security. To join the conversation, please contact me through Twitter.
 Joel Brenner, “America the Vulnerable, Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare, The Penguin Press, 2011, Page 211