Friday, February 6, 2009

Justifying Security Spending

I just finished skimming through "The Business Justification for Data Security", a new report by the folks at Securosis sponsored by McAfee. At 38 pages it's a bit on the long side but well worth the read for its exploration of the different models for justifying security payments.

This whole Recession thing has businesses cutting back on everything and security is no exception. This hasn't stopped people from promoting the misguided notion that security somehow pays for itself or is a revenue generator. I like the way the Securosis report dismisses this fallacy - "When applying ROI to data security, you attempt to quantify loss, and then substitute loss as revenue". When you buy an alarm system for your house, the alarm doesn't "pay for itself". It simply makes an unlikely event (your house getting burglarized) even less likely.

Moving from home security to data security, one can claim that security spending will prevent future losses, but invoking a revenue argument (as though a security investment is actually earning money in the same way that a new sale does) just doesn't fit with the way businesses think about revenues and losses. The very subjective valuations that go into measuring data loss further weaken the ROI argument to the point of irrelevance.

As I have written before, network security is relatively well understood and the security portion of the total IT spending pie is broadly accepted to be in the neighborhood of 10%. This is the security tax, and a CISO's job is to manage and spend that tax in the most efficient way. Justifying a particular security expenditure outside of the context of total security costs doesn't make sense.

Another big problem with any sort of quantitative loss prevention model is the vagueness of what exactly constitutes security spending. The days of buying a "security product" to address security issues is fast disappearing. Most of the major IT vendors these days have been building their own security features or purchasing smaller security vendors and integrating their functionality. Process change and leveraging existing technologies - not buying security products - is in most cases the path to a more secure business. 

An example of this would be a database auditing. The required investment is not monetary but rather an organizational one. Enabling auditing has many internal costs (testing, etc) and must be weighed against actual product enhancements that could be done instead.

There are of course examples of security spending that do follow the pattern of a simple dollar investment/loss prevention analysis. An example given in the Securosis report is that of a lost laptop, where the security measures have clear monetary costs (namely full disk encryption) and the losses have easily quantifiable costs (notifying customers in the event of a breach). But laptop encryption is the exception, not the rule. Very few security costs can be quantified in this way.

As I have written before, I believe that the major driver of security spending in the coming years will be compliance. Almost all compliance is less about using system X vs system Y and more about having an overall security narrative. The CISO's job is to be the owner of that narrative and to make it happen within an industry acceptable budget. Every security dollar spent (and for that matter every hour of someone else's time committed to security) should serve to advance that narrative.

No comments:

Post a Comment