In my last post, “Whac-a-Mole Funding and Going on the Offensive,” on funding cloud security I discussed the seeming paradox between what an enterprise is willing to invest in security versus what it needs to adequately address its security threats. Based on what we’re seeing worldwide, security spending is reactive (motivated by fear?)—and therefore not very effective from an enterprise viewpoint.
If you extend this philosophy as you move to the cloud, it’s simply not sustainable. The reason is simple economics. My last post showed that median security spending over the last three years has been virtually flat. We also quoted a March 2012 research note from Gartner that says security spending is a very low priority for CIOs in 2012.
So, given these considerations, how do you pay the cost of having others provide effective security for your cloud-based business—and still adequately fund your internal security needs? You simply can’t afford to protect everything well using a fear-based approach to security funding.
The Art of War and Changing Tactics
As I suggested in an earlier post, “Walking the Talk” on cloud adoption, it’s my opinion that enterprises are fighting—and losing—the security war. The enemy is large in numbers, organized, well-funded, smart, and adept at changing tactics as quickly as countermeasures are deployed.
If all this is true, maybe we need to rethink how we’re fighting the war.
Consider the advice of Sun-Tzu, a Chinese military general, strategist, and tactician who likely lived during the Warring States period. His definitive work on military strategy and tactics, The Art of War, has influenced both Eastern and Western military thinking, business tactics, and legal strategy for the last 2,000 years.
One bit of guidance in Sun-Tzu’s treatise suggests that an army “who is able to change and transform in accord with the enemy and wrest victory is termed spiritual”. The bad guys seem to be much better at embracing this concept than we are.
With this in mind, maybe it’s time to change the way we fund security. To do this, you must determine how to frame the value of security in a way that will resonate in your enterprise.
Intel’s CISO uses a very simple test to help his staff determine what security investments have the highest likelihood of being funded. Figure 1 shows this yardstick.
Figure 1: Intel’s Security Funding Yardstick
The yardstick is a first-round way to assess the chances of a specific security enhancement being approved. The user experience measurement, which is somewhat subjective, shows how valuable, easy to use, and efficient a security proposal seems. The risk benefit measurement compares the risks of the security proposal to its expected benefits. Finally, the cost benefit measurement compares the financial benefits against the negatives (costs).
Based on Intel’s experience, proposed security enhancements that score well on all three criteria have a good chance of being approved by our CFO. The fewer criteria a proposal meets, the less likely it is to be funded.
Information Security Investment Model
Intel IT has also created a new IT security investment model that helps us analyze internal security investments based on their business value to Intel. The model allows us to analyze the value of each security investment within the context of our IT environment rather than in isolation. It also provides insights to answer questions like:
- What’s the typical return on an investment in any specific defense-in-depth layer?
- How much residual risk applies to any particular threat vector?
- Which incremental investment mitigates the most risk?
- Which incremental investment drives the largest marginal return?
You can find more on this topic in the IT@Intel White Paper Measuring the Value of Information Security Investments. (Login/registration required) Intel’s security investment model presumes that your security and, minimally, your CFO organization are:
- Resource-able, with adequate resources to respond to ongoing security needs while building a long-term strategy
- TCO knowledgeable, with almost an activity-based cost understanding of your IT environment
- Analytic, with the ability to provide statistical expectancy on how well layered controls work
To be honest, my greatest concern about the model is that to use it, an organization must be relatively mature in each of these areas. How does your enterprise measure up?
Please join me as I explore the topic of cloud security across upcoming blogs. For now, and reserving the right to add or modify these topics as we move forward, here are the areas I’ll address in the coming months:
- Current State Security
- Security as a Factor of Cost
- Business Issues Surrounding Security
- Evaluating New-World Security Model Investments
- Security, Data Architecture and Big Data
- Defense in Depth
We’d love your feedback on our investment model and whether your organization can use it, along with your reasons why or why not.
To join the conversation, please contact me through @RDeutsche on Twitter.