In the fall, a security manager's thoughts turn to budgets. Asking the board for money is, in essence, asking them to invest in what you do, arguing that the costs of what you do (security) are worth the benefits the company -- the investor -- will receive.
When investors decide whether to buy stock in a new company, they scan a document called the Red Herring (because of the color of its cover), which must list under law, all the risks the company faces as well as its opportunities for growth.
Like a stock about to go public, IT spending is also an investment with very real potential benefits and very real risks -- including, of course, security risks. But while some aspects of Web commerce are easy to quantify (i.e., how much business you do over the Web per day or week), doing a cost/benefit analysis for security is still a black art. Business managers often don't know how to estimate the risk (except to think it won't happen to them) or the cost (except that whatever it is will be too much).
And you, as a security manager, have no real guidelines to help them. This is bad because it makes it harder to argue for the money and people it takes to do your job. And if you can't point back to that far-sighted recommendation you made at budget time, it makes it harder to defend yourself when a security disaster does occur.
But security, like other types of IT spending, is emerging from the land of voodoo economics. While many companies simply try to match current "best practices" for information security, some financial institutions (with a lot of dollars per stake per transaction) are taking the lead in quantifying the cost of such risks, says Emily Freeman, a senior vice president at Marsh Inc. in San Francisco.
ING Americas, for example, is adding a "security review" to the financial and architectural reviews it already does on IT projects, says executive vice president and CIO Steve Stecher. "We're getting more and more disciplined on information security," he says. "It's a high priority item for us."
But if you're still using voodoo economics to assess your security spending, here are some more sophisticated approaches to try:
1) List regulatory, legal and investor-related vulnerabilities. Look beyond obvious losses, such as the sales or ad revenue you lose when your Web site goes down. What effect would a site outage have on your stock price, and hence your company's ability to buy other companies or attract new investors? Are there state or federal regulatory agencies that could impose fines or other penalties if a hacker leaked private customer data? Have you ever tried to put a value on your trade secrets, new products under development or customer lists? If so, do you weigh the value of those assets in defending your security budget?
2) Remember to factor in easy but effective attacks that cripple your site. It's fairly difficult for a hacker to steal or tamper with critical data without leaving clues as to their identity, says Mike McConnell, a former director of the National Security Agency who's now a vice president at Booz-Allen & Hamilton Inc. "But if your intent is to destroy or degrade (a site), it's a fairly straightforward process." Highlighting that fact will remind your managers how easy it is to launch an attack, raising the probability of such an event as well as the costs to your organization, should it succeed.
3) Assess the total cost of getting back into operation, not just stopping attacks. Your aim as a security director isn't really to stop or even prevent attacks -- it's to ensure your organization can do business over the Web securely and effectively. Freeman says that measuring risk is only the first step in assessing security spending. Identifying what you need to do to prevent or stop losses comes next. The last two steps -- which should also be factored into the cost/benefit analysis -- need to happen to stop or blunt an attack (such as redundant servers, data backups, etc.) as well as the cost of risk insurance or writing contracts that limit your exposure in the event of a hack.
4) How will superior security help us crush the competition? Information technology security is often seen as a necessary evil, much as all IT spending once was. But imagine the advantages in time-to-market, brand awareness and market share for the first bank to convince customers it's safe to access account information from a handheld device. Imagine the advantages in customer lock-in and lowered costs for the outsourcer who finds a less-expensive way to implement a VPN between manufacturing sites. "I would submit," says McConnell, "that business leaders need to think of security as an enabler, not a burden."
We'll all reach that enlightened point someday, just as we all now recognize IT itself as an enabler, not a burden. The question is whether you'll reach that point before, with or behind your competitors.About the author
Robert L. Scheier, a freelance writer specializing in information technology issues, can be reached at firstname.lastname@example.org.
Surviving Security: How to integrate people, process & technology
By Mandy Andress
Learn how the different security technologies fit together and how you can get the most for your money. This book provides a roadmap for determining how much security to implement, who should be involved and how much to spend. Not all security technologies and practices are created equal. Learn what options minimize the most risk for the least amount of money.