Tuesday, December 23, 2008

Spending on Unlikely Threats

Security management these days involves tough choices.  Any resources you devote to mitigating threat A need to be taken away from threat B.  If you devote 100 hours of your team's time to hardening server configurations, that's 100 hours you didn't spend on some other task.

How do we make those choices?  Is it intuition?  What we hear going on the in the industry?  Best practices?  As a society as a whole, we are very bad at making those choices.  Bruce Schneier's recent post on the disproportionate amount of attention paid to peanut allergies illustrates this point.  Is the same misappropriation of resources at play in IT management?  

There is a severe lack of data on information security budgeting and resource allocation.  Entire industries have mushroomed around particular threats - anti-virus, hacking, firewalls, you name it.  But which solution offers the most threat reduction per dollar and man hour spent? As an industry I think we are going to start to see this question addressed with increasing frequency (assuming the industry does not disappear first).  


  1. First of all, great job on getting out there in the blog world. I have enjoyed speaking with you at IANS events and look forward to reconnecting next time around.

    Secondly, what you are talking about was driven home for me over the course of 2008. We ran a series of BrightflyLIVE! events across the US that focused on Risk Management and through some very specific exercises, we uncovered an alarming trend.

    What we found was that the perceived risks faced by the organizations in our sessions (mostly mid to upper security management, but some were technical/in the trenches types)did NOT align with where their spending went. In other words, the majority of spending went to firewalls, anti-virus, etc. while the risks that acutally kept them up at night were most often centered around data protection as it related to managing who had access, whether or not it was appropriate access, and how users created and moved data.

    While we don't yet have our final report written (coming soon!), we will be continuing to explore this mismatch into 2009 and hopefully drawing some more concrete conclusions around it as we hoen in on more datapoints.

    Until then, keep up the writing. It's good to see you "out here".

  2. Brandon- thanks for the comment. The blog just celebrated it's 1 week anniversary so I am really glad to see people joining the conversation!

    That is a very interesting trend you have uncovered and one that I have suspected for a while. Many network security devices are priced in the upper 5 figures and beyond. But when you look at actual breaches (eg. ESI report), the large majority are caused by access issues and broken business processes. Spending, particularly on network security devices, sometimes seems out of proportion to the resources dedicated to other issues.

    I think there are a few reasons for this:

    1. Without a CISO, there is no one with executive responsibility for cleaning up access and redefining processes.
    2. It's much easier to just buy something than to re-engineer processes.
    3. Many security operations (managing accounts, access, etc) end up in the hands of IT Operations. These people often do not have the organizational clout to resist insecure practices (like creating non-expiring accounts for convenience).

    I look forward to seeing the Brightfly report on this.

    Btw, hope to see you again at IANS in 09. You held a great session last time around.


Note: Only a member of this blog may post a comment.