The Financial Drivers of Security
Our last post, Top 4 Failures in Corporate Information Security, kicked off a 3 part series on security addressing some of the most common themes from our work with clients. This post will cover the first 2 failures from our last post in greater detail. The first section will focus on why financial concerns, and not fear, should drive your security decisions. The last section focuses on the financial motivations of potential thieves and the ramifications to your security architecture and design.
Focus on Finance (or profits) and not Fear
Has your security team (or have you) ever presented a project justification that something has to be done “or else we will be horribly exposed?” Or maybe the proposal was worded such that the project must be done or you risk “irreparably tarnishing our brand”. Or how about “Our front doors are basically wide open, nearly anyone can walk in and take whatever they’d like”. The problem with all of these statements is that not only are they difficult to prove or disprove, they are positioned to elicit a fear response for the purposes of attaining a goal. How does one quantify fear and evaluate it against other business initiatives? Our position is that one can’t and that one shouldn’t.
Our jobs as managers and executives are to make sound business decisions that maximize shareholder wealth. The appropriate management of risk is an example of such a decision. We spend money on risk management initiatives to offset potential future losses associated with the realization of that risk. We might invest in fraud detection systems for instance to reduce future potential losses. In doing so we pay the expense and capital of putting such a system in place, and potentially lose some revenue through the “false positive” identification of fraud within our revenue stream in order to significantly reduce the amount of real fraud going on within our systems. Similarly, we might decide to put firewalls in certain places to reduce the probability of a penetration and associated brand damage at the expense of the labor to put those firewalls in place, the capital to purchase the firewalls, and the decrease in availability and scalability those firewalls might present. Those firewalls also might slow our time to market for certain initiatives or increase the cost of those initiatives by adding steps in order to put new rules in place for new applications, etc.
On a project level, the point at which we should stop adjusting risk in any given area is the point at which the incremental cost of effort of risk adjustment exceeds the incremental value. On a portfolio level, the cost and value of the risk adjustment above should be compared to all other capital and effort based projects. Just because the project has a return, doesn’t mean it is the best use of our time and resources. So, if we add a $10M fraud system that is only likely to return $8M in total benefits over 3 years have we made the right decision? What if it returns $10M in 3 years? The point here is that the initiative should be couched in business terms and compared appropriately against other business initiatives in terms of its financial benefit. Don’t let fear motivate your decisions.
Bad Guys Like to Make Money Too
Sun Tzu is attributed with saying “If you know both yourself and your enemy, you can win a hundred battles without a single loss.” How well do you know your enemy? While some of your enemies are out to brag about their accomplishments , a majority of your enemies are out to make money. The people who perpetrate technology crimes are generally skilled and intelligent (though morally bereft) people who see the perceived benefit of stealing your data as being significantly greater than the perceived cost. It is this equation that we are going to address in this section.
In our equation Perceived Benefit (PB) > Perceived Cost (PC) the word “perceived” is very important. We need elements in our security architecture that decrease the perceived benefit of a potential security breach. This might be one-way encryption of sensitive data such that it can’t be used by someone stealing it, or it might be hiding our data and valuables so that “passers-by” don’t ever perceive any value in attacking you. Maybe you can develop marking technologies for your data or “beacons” such that the data can be tracked if used.
Elements of perceived cost include the perceived cost of obtaining the data and the perceived cost of getting caught. This implies that not everything need to have the same “actual” cost of protection as it makes little sense to spend money protecting something that has little perceived value. The perceived cost of getting caught is at least partially influenced by your track record with catching would-be thieves as well as how well you publicize your successes. If I am choosing between attacking site A and site B, each of them equivalently physically protected and of equivalent value to me, I will likely choose the site that appears to me to be the least likely to catch or prosecute me.
In our next post, we will discuss who should make security decisions and why firewalls aren’t always a good thing.