With cyber attacks continuing to make headlines, companies have responded by rapidly increasing IT security spending even as overall IT budgets have remained flat or declined. Gartner predicts that security software spending will have a compound annual growth rate of 16.2% from 2005-2009 with information security spending representing approximately 6% of overall IT budgets.
It’s no surprise then, that business executives are beginning to question what they’re getting for their IT security spending. Their tolerance for technospeak such as distributed denial of service attacks and buffer overruns is rapidly decreasing. Their expectation that shareholders receive value from their security spending, on the other hand, is increasing. In this environment, IT security teams are starting to feel pressure to demonstrate the effectiveness of their efforts.
How did we get here?
Few IT categories have evolved as quickly as security. Less than a decade ago, IT security was of limited concern. Business applications were developed for in-house use. Networks were private and built around proprietary protocols. Then seemingly overnight, applications were turned inside out. Internal banking applications became “online banking.” In-house order entry systems became “online shopping.” Private networks gave way to the Internet for all communication and information sharing. Worms and viruses became the norm and costs from security-related business interruption skyrocketed.
Security had to evolve quickly. In its early phases, senior executives primarily cared about containing the security problem and let the technology experts decide what to do. As budgets increased, the technology became at once more sophisticated and numerous, and eventually multiplied into a seemingly unlimited number of subcategories and products. Companies today are increasingly confused about how much to spend on IT security and what to spend it on. In this rapid spend cycle, IT security products emerged as standalone solutions, incapable of working in an ecosystem or sharing information among one another. They were designed to be simple to use and deploy to accommodate IT security organizations’ limited headcount but increasing capital budgets.
Time to show results
Now executives want to see results from all this security spending. Are IT security teams equipped to think about “results” when they can barely keep up with the administration and information overload from all those products they acquired? And what about all the additional products they still need? Are they even equipped to communicate with senior executives used to dealing with financial measures such as revenues, market share, margins, inventory turns and ROI?
Senior executives manage to tried and true principles. The most effective is the “measure and manage” principle. Executives set goals based on identified metrics, and then measure and manage to the established goal. Often the goal is to attain a desired return on investment. That’s fine for many business functions, but falls short for some, particularly IT security. ROI is great when the goal is to increase revenues or reduce costs. But IT security doesn’t increase revenues or reduce costs. Security doesn’t have a measurable ROI. When it fails, there’s loss. When it works perfectly, there’s cost – and how do you measure a loss that never happened?
So how do you demonstrate results from IT security? It turns out to be simpler than one would think, particularly when the problem is reduced to its fundamental components. When all the technology talk is set aside, the goal of IT security can be simply stated as minimizing risk at the lowest possible cost. There you have it. Two things that need to be measured: risk and cost.
Getting to a results-driven model of IT security will require organizations to reprioritize their efforts, and budgets, around showing a measurable and objective risk metric for their information systems and networks. Objective metrics must be tracked over time against measurable goals. Organizations will demonstrate how they are managing risk across their information systems and networks and compare today’s results to last week, last month, last quarter, last year. And by comparing risk trends with security spend, executives will clearly understand how their investment in security is being managed, and the effectiveness of that spend. IT security budgets will be justified and organizational effectiveness will be measured by the company’s acceptable risk tolerances.
Lets face it — the risk of a security breach will always be present. But should such an event occur, organizations will have clearly documented processes and metrics that prove a standard of due care was in place. And should it prove inadequate over time, the acceptable tolerances can be tightened in measurable ways and at measurable costs, and communicated in a manner that business executives understand.
Measuring costs are easy, so let’s focus on measuring risk. There are no industry-standard measures for security risk, but there’s no reason to wait for standards. What’s important is that every company develops its own objective risk measure. For example, advanced vulnerability and risk management systems can continuously identify and profile assets on a network to objectively and automatically measure vulnerability risk, configuration and security policy compliance and other specific metrics to produce a risk “score” for each device. These asset risk scores can then be aggregated across the entire network and reported by region, application, operating system, business unit and numerous other ways. The scores should be influenced by company-defined asset values (for example, a desktop computer will have lower asset value than a securities trading system). The risk score can be further influenced by countermeasures that are in place for each asset (countermeasures might be additional layers of security such as IDS/IPS, firewalls or antivirus products). And finally, the risk measure should be influenced by the current threat environment that exits in the wild (threat metrics can be attained through organizations like CERT or purchased from independent security research organizations as “feeds”).
Having an objective IT risk measure is the key first step. Once an organization puts the systems and processes in place to measure and report on risk, then setting goals and managing to them takes over. This means knowing how to prioritize risk reduction efforts. There are countless risks and vulnerabilities in an IT infrastructure. Addressing the highest priorities is critical to enabling maximum risk reduction at the lowest possible cost. When a security team shows up for work, they need to know the top five or ten tasks they can complete that day to reduce risk the most. By mining the security intelligence collected by the vulnerability and risk management system, including asset values, network topology and security policy information, organizations can quickly identify and prioritize the highest risks to a network or IT infrastructure.
Security budgets are reaching a level where they must be justified. Shifting the focus away from simply buying technology to applying common sense business management principles will ensure that companies spend wisely, manage prudently and deliver the most value to their organizations while protecting their critical information investments.