AKF Partners

Abbott, Keeven & Fisher PartnersPartners In Hyper Growth

Tag » Firewall

Sensible Security

This post is the last in a 3 part series and will cover the last 2 points from our post entitled the Top 4 Failures in Corporate Information Security.  Here we are going to focus on why firewalls aren’t always the best solution to your problems and how to use your security team properly in your risk making processes.  We’ll end with a quick review.

Firewalls Can Be Bad Too

Firewalls can absolutely be overdone.  In fact, in our experience they are very often overdone.  Often firewalls are cited as being necessary to be compliant with certain regulatory requirements or industry standards (such as PCI compliance).  Sometimes companies feel they must put them in place simply because similar “comparison companies” have installed them.  Many times the driver of this need isn’t as much the requirement, standard or “comparison” company as it is misinformation on the part of firewall vendors or decisions made without complete information.

Firewalls, besides not being free either in terms of labor or capital (obviously), almost always reduce your availability and decrease your flexibility.  Like any other piece of hardware and software, they fail from time to time.  These failures often either lead to idle employees who cannot perform their work or even worse, the turning away of revenue generating customers from certain functions on your site.  There’s no way around it – if you put a firewall in the way of a transaction sooner or later it will cause a problem.  Sometimes this is both acceptable and advisable, such as the additional protection that a firewall provides a database that stores PII information such as credit cards.  Other times, it is just an unfortunate cost and burden such as when firewalls are used to protect static image servers that have very little valuable information on them and which are of little interest to money-focused bad guys.  And finally they can really harm employee productivity by stalling business initiatives.   It’s not unusual to spend thousands of dollars of labor several times a year troubleshooting why a new service won’t work or an why an old service quit working  before identifying that a port in a firewall needs to be opened or was recently closed.

Security Teams as Contributors – Not Decision Makers

Your security team very likely has a lofty and aggressive goal – to keep your company, your systems and your data (or your customer’s data) free from being abused by bad guys.  This goal doesn’t come cheaply and the only way to guarantee it is attained is to either go out of business or spend so much on your risk adjustment initiatives that you will never make a profit.

The security team rarely has the business background and overall business context to make business tradeoffs when it comes to risk.  While they may in fact have a number of people with advanced business degrees, their focus on reducing risk means that they are not focused on maximizing profits within the context of all of the available business levers.  And you may not want them to have such a broad business focus as some practitioners argue that you want your risk team focused singularly on the available risk options rather than making the risk tradeoff decisions.  The bottom line here is that the team should be involved in the decision process, but they are not necessarily the best decision makers for your risk management options.

Acting Sensibly

Treat your security and risk initiatives as you would your personal property and valuables.  Lock up and keep out of sight those things of significant value, but retain enough flexibility to allow you and your team to do your jobs quickly.  You probably don’t put deadlocks on every bedroom in your house as it just doesn’t make sense and you probably don’t need to put firewalls on every LAN segment in your network for the same reason.  Add passive detection advices such as intrusion detection systems to increase your level of security.

We covered four failures in corporate information security:

1)      Fear rather than Risk and Profit driving decisions

2)      Teams not understanding financial drivers of the “enemy”

3)      Overemphasis on Firewalls

4)      Security decisions made by the wrong team

By understanding what motivates your enemy, approaching security with risk and profit rather than fear as a driver, acting sensibly when it comes to risk mitigation and making risk decisions at the appropriate level you can both decrease risk and increase profitability.


Comments Off on Sensible Security

The Financial Drivers of Security

Our last post, Top 4 Failures in Corporate Information Security, kicked off a 3 part series on security addressing some of the most common themes from our work with clients.  This post will cover the first 2 failures from our last post in greater detail.  The first section will focus on why financial concerns, and not fear, should drive your security decisions.  The last section focuses on the financial motivations of potential thieves and the ramifications to your security architecture and design.

Focus on Finance (or profits) and not Fear

Has your security team (or have you) ever presented a project justification that something has to be done “or else we will be horribly exposed?”  Or maybe the proposal was worded such that the project must be done or you risk “irreparably tarnishing our brand”.  Or how about “Our front doors are basically wide open, nearly anyone can walk in and take whatever they’d like”.  The problem with all of these statements is that not only are they difficult to prove or disprove, they are positioned to elicit a fear response for the purposes of attaining a goal.  How does one quantify fear and evaluate it against other business initiatives?  Our position is that one can’t and that one shouldn’t.

Our jobs as managers and executives are to make sound business decisions that maximize shareholder wealth.  The appropriate management of risk is an example of such a decision.  We spend money on risk management initiatives to offset potential future losses associated with the realization of that risk.  We might invest in fraud detection systems for instance to reduce future potential losses.  In doing so we pay the expense and capital of putting such a system in place, and potentially lose some revenue through the “false positive” identification of fraud within our revenue stream in order to significantly reduce the amount of real fraud going on within our systems.  Similarly, we might decide to put firewalls in certain places to reduce the probability of a penetration and associated brand damage at the expense of the labor to put those firewalls in place, the capital to purchase the firewalls, and the decrease in availability and scalability those firewalls might present.  Those firewalls also might slow our time to market for certain initiatives or increase the cost of those initiatives by adding steps in order to put new rules in place for new applications, etc.

On a project level, the point at which we should stop adjusting risk in any given area is the point at which the incremental cost of effort of risk adjustment exceeds the incremental value.  On a portfolio level, the cost and value of the risk adjustment above should be compared to all other capital and effort based projects.  Just because the project has a return, doesn’t mean it is the best use of our time and resources.  So, if we add a $10M fraud system that is only likely to return $8M in total benefits over 3 years have we made the right decision?  What if it returns $10M in 3 years?  The point here is that the initiative should be couched in business terms and compared appropriately against other business initiatives in terms of its financial benefit.  Don’t let fear motivate your decisions.

Bad Guys Like to Make Money Too

Sun Tzu is attributed with saying “If you know both yourself and your enemy, you can win a hundred battles without a single loss.”  How well do you know your enemy?  While some of your enemies are out to brag about their accomplishments , a majority of your enemies are out to make money.  The people who perpetrate technology crimes are generally skilled and intelligent (though morally bereft) people who see the perceived benefit of stealing your data as being significantly greater than the perceived cost.  It is this equation that we are going to address in this section.

In our equation Perceived Benefit (PB) > Perceived Cost (PC) the word “perceived” is very important.  We need elements in our security architecture that decrease the perceived benefit of a potential security breach.  This might be one-way encryption of sensitive data such that it can’t be used by someone stealing it, or it might be hiding our data and valuables so that “passers-by” don’t ever perceive any value in attacking you.  Maybe you can develop marking technologies for your data or “beacons” such that the data can be tracked if used.

Elements of perceived cost include the perceived cost of obtaining the data and the perceived cost of getting caught.  This implies that not everything need to have the same “actual” cost of protection as it makes little sense to spend money protecting something that has little perceived value.  The perceived cost of getting caught is at least partially influenced by your track record with catching would-be thieves as well as how well you publicize your successes.  If I am choosing between attacking site A and site B, each of them equivalently physically protected and of equivalent value to me, I will likely choose the site that appears to me to be the least likely to catch or prosecute me.

In our next post, we will discuss who should make security decisions and why firewalls aren’t always a good thing.


Comments Off on The Financial Drivers of Security

Top 4 Failures in Corporate Information Security

This post is the first in a three part series about security.  This first post introduces the top four failures that we see in clients when it comes to information and technical security operations.  Our next two posts will each take two of the areas below and cover them in greater detail

1)      Fear rather than Risk and Profit Drives Security Initiatives

Too many teams and companies allow their security decisions to be made based on the fear of potential loss rather than focusing on how to maximize total profits through loss minimization at an appropriate cost.  Business is inherently a risky enterprise and the only way to reduce your business risk to zero is to get out of business.  Every security (or other risk reduction) initiative you undertake has an actual cost to you in terms of capital (equipment), expense (headcount) and lost opportunity of revenue associated with slower processes or lower revenue that is quantifiable.  All of those costs should be evaluated, in a level headed fashion, against the potential loss you expect.  Why would you possibly spend $10M to offset a potential (probability = .05%)  loss of $8M happening sometime in the future?

2)    Team Doesn’t Understand the Financial Driver of the Enemy

While there are folks who will hack your site or corporation simply to gain a reputation, the vast majority of the bad people out there are in the business of being bad to make money.  Bad guys act when the perceived benefit of success is greater than the perceived cost of effort or failure.  As such, security needs to be more than just locking the doors (increasing the cost of effort for the bad guys), it needs to be about lowering the perceived value of your belongings and increasing the perceived cost of getting caught.  Hide your valuables and rather than making them just difficult to obtain, think about ways to make them meaningless to other people if they should get them.  Remember that many incidents involve employees who already have the keys to your house – so make sure that if they get away with something that it isn’t of value to them once they leave the building.

3)      Security Decisions Made by the Wrong Team

In the words of Garrett Hardin, the famous ecologist and author of “Filters against Folly”, for responsibility and delegation to work the person making the decision must be held accountable for that decision by the people it directly and indirectly affects.   This is almost never the case for security initiatives.  Security is about risk reduction at an appropriate cost and as such it is a question for the general manager.  Unfortunately, what typically happens is that security teams are given a goal of reducing risk as much as possible and are asked to justify a budget.  As risk has a direct impact to both revenue and cost, it is something that should be managed at the highest level of the company with input from the appropriate technical resources.

4)      Overemphasis on Firewalls as a Deterrent

Firewalls are perimeter security devices.  They serve a similar purpose to locks on your house.  But just as you wouldn’t likely put locks and deadbolts on every door inside your house, so should you not put firewalls everywhere within your infrastructure.  An overemphasis on firewalls will ultimately decrease your overall availability due to the multiplicative effect of failure well beyond their expected long term benefit as a deterrent.  Rather, firewalls should be used as part of a broader security initiative.  Just as you likely have locks, a security system, a neighborhood watch and potentially cameras in your home and neighborhood so should you have some number of firewalls in the right places, relationships with law enforcement and a “community watch” program as well as intrusion detection systems within your corporation or platform.  And remember, hiding your valuables is as important as locking them up.


3 comments