SecurityCertified

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Sunday, June 14, 2009

How Much to Spend on Digital Security

Posted on 6:15 PM by Unknown
A blog reader recently asked the following question:

I recently accepted a position and was shocked to learn, I know this shouldn't have happened, that Information Security/Warfare is largely an afterthought even though this organization has had numerous break ins. Many of my peers have held their position for one or even two decades and are great people yet they are not proactively preparing for modern threat/attack vectors. I believe the main difference is that they are satisfied with the status quo and I am not.

I have written a five-year strategic plan for IT security which I am now following with a tactical plan on how to get there. with respect to the tactical plan I was wondering what percentage of the IT budget you think an organization should allocate for their InfoSec programs?

It would seem that, using Google, many people advocate somewhere between ten and twenty percent of the IT budget. I have no knowledge of our overall IT budget but I do know we aren't anywhere near ten percent.

Additionally, how important is the creation and empowerment of a CISO in as organization? Many places still place security under the CIO which I have seen both good and bad examples of. Thank you for your time, it's much appreciated.


Regarding the cost question: I don't think anyone should use a rule of thumb to decide how much an organization should spend on digital security. Some would disagree. If you read Managing Cybersecurity Resources, the authors create some fairly specific recommendations, even saying "it is generally uneconomical to invest in cybersecurity activities costing more than 37 percent of the expected lost." (p 80) Of course, one could massage "expected loss" to be whatever figure you like, so the 37% part tends to become irrelevant.

When one tries to define digital security spending as a percentage of an IT budget, you face an interesting issue. First you must accept that the value of the organization's information is the upper bound for any security spending. (In other words, don't spend more money than the assets are worth.) If you base security spending on IT spending, then the entire IT budget becomes the theoretical upper bound for the supposed value of the organization's information. If you arbitrarily decide to shrink the IT budget, following this logic, you are also shrinking the value of the organization's information. This situation holds even if you don't spend more than "37%" of the value of the organization's information on security it. Clearly this doesn't make any sense.

I have not met anyone with a really solid approach for justifying security spending. "Calculating risk" or "measuring ROI/ROSI" are all subjective jokes. All I can really offer are some guidelines that I try to follow.

  1. First, focus on outputs, not inputs. It doesn't matter how much you spend on security (inputs) if the organization is horribly compromised (outputs). Determining how compromised the enterprise is becomes the real priority.

  2. Second, like I said in cheap IT is ultimately expensive, "security is an IT problem, not a 'security' problem. The faster asset owners realize this and be held responsible for the security of their systems, the less intrusion debt will mount and the greater the chance that enterprise assets will survive digital earthquakes." Security teams don't own any assets, other than the infrastructure supporting their teams. Asset owners are ultimately responsible for security because they usually make the key decisions over the asset value and vulnerabilities in their assets.

    The best you can do in this situation is to ask asset owners to imagine a scenario where assets A, B, and C are under complete adversary control, and could be rendered useless in an instant by that adversary, and then let them tell you the impact. If they say there is no impact, you should report that the asset is worthless and should be retired immediately. That will probably get the asset owners' attention and start a real conversation.

  3. Third, continue to tell anyone who will listen what you need to do your job, and what is lost as a result of not being able to do your job. Asset owners have a perverse incentive here, because the less they let the security team observe the score of the game (i.e., the security state of their assets), the less able the security team is able to determine the security posture of the enterprise. You've got to find allies who are more interested in speaking truth to power than living in Potemkin villages.


Regarding this CISO question: I believe the jury is out on where the CISO should sit. When reporting to the CTO and/or CIO, the CISO is one of many voices competing for attention. When working for the CTO and/or CIO, the position of the CISO probably reinforces the notion that the CTO and/or CIO somehow own the organization's information, and hence require security expertise from the CISO to secure it.

However, I am developing a sense that the asset owners, i.e., the profit and loss (P/L) entities in the organization, should be formally recognized as the asset owners. In that respect, the CISO should operate as a peer to the CTO and/or CIO. In their roles, the CTO and/or CIO would provide services to the asset owners, while the CISO advises the asset owners on the cost-benefit of security measures.

Note that when I say "asset" I'm referring to the real information asset in most organizations: data. Platforms tend to be worth far less than the data they process. So, the CTO and/or CIO might own the platform, but the P/L owns the data. The CISO ensures the data processed by the CTO and/or CIO is kept as secure as possible, serving the asset owner's interests first.

I would be interested in hearing other opinions on both of these questions. Thank you.


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • DojoCon Videos Online
    Props to Marcus Carey for live streaming talks from DojoCon . I appeared in my keynote , plus panels on incident response and cloud secur...
  • Bejtlich Speaking at TechTarget Emerging Threats Events in Seattle and New York
    I will be speaking at two events organized by TechTarget , for whom I used to write my Snort Report and Traffic Talk articles. The one-da...
  • SANS WhatWorks Summit in Forensics and Incident Response
    I wanted to remind everyone about the SANS WhatWorks Summit in Forensics and Incident Response in DC, 8-9 July 2010. The Agenda looks gre...
  • Sguil 0.7.0 on Ubuntu 9.10
    Today I installed a Sguil client on a fresh installation of Ubuntu 9.10. It was really easy with the exception of one issue I had to troubl...
  • Microsoft Updates MS09-048 to Show XP Vulnerable to 2 of 3 CVEs
    Microsoft published a Major Revision of MS09-048 to show that Windows XP Service Pack 2 and Windows XP Service Pack 3* are now Affected So...
  • BeyondTrust Report on Removing Administrator: Correct?
    Last week BeyondTrust published a report titled BeyondTrust 2009 Microsoft Vulnerability Analysis . The report offers several interesting ...
  • Human Language as the New Programming Language
    If you've read the blog for a while you know I promote threat-centric security in addition to vulnerability-centric security. I think ...
  • DNI Blair Leads with APT as a "Wake-Up Call"
    AFP is one of the few news outlets that correctly focused on the key aspect of testimony by US Director of National Intelligence Dennis Bla...
  • SANS Forensics and Incident Response 2009
    The agenda for the second SANS WhatWorks Summit in Forensics and Incident Response has been posted. I am really happy to see I am speakin...
  • NYCBSDCon 2010 Registration Open
    Registration for NYCBSDCon 2010 is now open. As usual George and friends have assembled a great schedule ! If you're in the New York...

Categories

  • afcert
  • Air Force
  • analysis
  • announcement
  • apt
  • attribution
  • bestbook
  • blackhat
  • books
  • breakers
  • bro
  • bruins
  • certification
  • china
  • cisco
  • cissp
  • cloud
  • clowns
  • commodore
  • conferences
  • controls
  • correlation
  • counterintelligence
  • cybercommand
  • cyberwar
  • dfm
  • education
  • engineering
  • feds
  • fisma
  • freebsd
  • GE
  • ge-cirt
  • hakin9
  • history
  • impressions
  • information warfare
  • ipv6
  • law
  • leadership
  • malware
  • mandiant
  • microsoft
  • mssp
  • nsm
  • offense
  • oisf
  • packetstash
  • philosophy
  • pirates
  • powerpoint
  • press
  • psirt
  • reading
  • redteam
  • reviews
  • russia
  • sans
  • sec
  • sguil
  • snorby
  • spying
  • threat model
  • threats
  • Traffic Talk
  • training
  • tufte
  • tv
  • ubuntu
  • usenix
  • verizon
  • vulnerabilities
  • wisdom
  • writing

Blog Archive

  • ►  2013 (16)
    • ►  September (1)
    • ►  August (1)
    • ►  June (2)
    • ►  April (2)
    • ►  March (1)
    • ►  February (3)
    • ►  January (6)
  • ►  2012 (60)
    • ►  December (4)
    • ►  November (5)
    • ►  October (3)
    • ►  September (10)
    • ►  August (2)
    • ►  July (6)
    • ►  June (6)
    • ►  May (4)
    • ►  April (2)
    • ►  March (9)
    • ►  February (6)
    • ►  January (3)
  • ►  2011 (108)
    • ►  December (3)
    • ►  November (7)
    • ►  October (11)
    • ►  September (9)
    • ►  August (18)
    • ►  July (10)
    • ►  June (5)
    • ►  May (4)
    • ►  April (13)
    • ►  March (17)
    • ►  February (2)
    • ►  January (9)
  • ►  2010 (193)
    • ►  December (14)
    • ►  November (11)
    • ►  October (6)
    • ►  September (16)
    • ►  August (15)
    • ►  July (26)
    • ►  June (15)
    • ►  May (15)
    • ►  April (15)
    • ►  March (16)
    • ►  February (19)
    • ►  January (25)
  • ▼  2009 (123)
    • ►  December (10)
    • ►  November (17)
    • ►  October (21)
    • ►  September (13)
    • ►  August (20)
    • ►  July (21)
    • ▼  June (21)
      • Simpler IP Range Matching with Tshark Display Filters
      • Effective Digital Security Preserves Long-Term Com...
      • Posts to Read Elsewhere
      • Black Hat Budgeting
      • Being a Critic Is Easy, So What Would I Do?
      • Ugly Security
      • SANS Forensics and Incident Response 2009
      • DoD Creates USCYBERCOM
      • Free .pdf Issue of BSD Magazine Available
      • The Problem with Automated Defenses
      • You Know You're Important When...
      • The Centrality of Red Teaming
      • Offense and Defense Inform Each Other
      • Response to the Möbius Defense
      • How Much to Spend on Digital Security
      • Counterintelligence Options for Digital Security
      • Crisis 0: Game Over
      • Extending the Information Security Incident Classi...
      • Department of Defense Digital Security Job Opportu...
      • Digital Situational Awareness Methods
      • Incident Detection Paradigms
Powered by Blogger.

About Me

Unknown
View my complete profile