1 / 19

The Economic Return of Security

The Economic Return of Security. Bob Lonadier, CISSP RCL & Associates. Agenda. The sad state of security spending The underlying problem Why the current economic models are inadequate What to do about it Q&A. The Sad State of Security Spending.

rosemarie-jean
Download Presentation

The Economic Return of Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Economic Return of Security Bob Lonadier, CISSPRCL & Associates

  2. Agenda • The sad state of security spending • The underlying problem • Why the current economic models are inadequate • What to do about it • Q&A

  3. The Sad State of Security Spending • Companies spend a lot on security, but they aren’t more secure. • Spending increases (both absolute and relative to IT spending) don’t result in more security • Most incremental spending goes toward dealing with the complexity created by the previous security investment • Insecurity abounds

  4. Advances in Security Technology • Policy Creation and Enforcement • Training and Education • Increased Connectivity • Open Systems • Hackers • Insiders Relative Security Relative Insecurity Absolute Security (not possible) The Security Return Problem Cost 1/ Security

  5. The Underlying Problem • Why justifying security is difficult • The management view • The view from the trenches

  6. Attempts at Justifying Security Investment • The ROI model • The risk management model • Other models

  7. ROI: Necessary but Insufficient? • According to Hurwitz Group’s e-Mentor PRO Study 2000: • 77% of enterprises use ROI to evaluate e-Business solution purchases • The largest companies use ROI the most – 94% of companies with annual revenues of $10 billion or more • According to a 1999 survey by Cambridge Information Network of over 1,400 CIOs and senior IT executives: “ROI analysis is typically a political prerequisite to get an IT investment approved.” • However, this same study found that while 91% of respondents consider cost savings as key results from ROI, 65% consider revenue creation an important factor.

  8. The Shortcomings of ROI • The self-serving aspects • The measurement problem • The challenge in reducing cost without increasing risk

  9. The Risk Management Model • Average loss expectancy (ALE) = impact of event  frequency of occurrence • Invest in security where incremental cost  incremental reduction in ALE • Outsource (insure) where incremental cost  incremental reduction in ALE

  10. The Four Risk Actions • Accept it • Ignore it (accept it) • Assign it to someone else (insure against or outsource it) • Mitigate it (reduce it)

  11. The Challenges of the Risk Management Model • Qualifying risk • Information security risk vs. Business risk • Quantifying risk • Measuring risk well (and over time) • Reducing risk • Risk management in an era of uncertainty • Diversifying risk • The insurance model: why it falls short

  12. Security returns optimal availability Security returns decreased availability Security returns increased availability Relative Security Relative Insecurity Absolute Security (not possible) An Uptime Approach to Security Availability 1/ Security

  13. Why The Current Approaches are Inadequate • They cannot answer: how much security spending do I need? • They cannot effectively manage or diversify risk efficiently • Security outsourcing vs. hacker insurance • They cannot answer: When am I secure (enough)?

  14. The Security Treadmill

  15. A New Approach Towards the Economic Return on Security • Security as a process, not an outcome • Business processes vs. IT processes • Re-developing security awareness • Security as a teaching tool • Security and the learning organization • Security awareness as a barometer for corporate health

  16. Is Security Free? • Security can be a by-product of business process improvement (BPI) • But, nobody really knows how to make the connection • So, it’s really difficult to think about it those terms (given the status quo)

  17. Next Steps • Break the (in)security-return cycle • Don’t look for return where there is none • Restore security as a process • Map it to the business needs of the firms • Evaluate from the perspective of total quality management (TQM)

  18. How? • Vendor Track • Reject conventional security ROI • Demonstrate value add to the process • Management Track • Educate, educate, educate • Use security awareness (or lack thereof) as a proxy for corporate dysfunction

  19. Questions?

More Related