Wednesday, August 09, 2006

Notes from SC Magazine

The July 2006 SC Magazine features some blogworthy stories. From Working for Gold, we see more opinions that calculating security ROI is a waste of time:

In recent years, the acronym of the day was ROSI — return on security investment. Analysts and security managers alike were struggling to find ways to measure security return on investment (ROI) and offer it up as proof to their bosses and executive boards that their money was being maximized. But the magic method to do this has never appeared. And some, such as AndrĂ© Gold, Continental Airlines' information security director, doubt it ever will.

"There are a lot of people out there who want to turn the information security department into a profit and loss (P&L) entity and I don't think you can do it," Gold says. "I ran our ecommerce environment for almost seven years and it was really easy to do ROI-type of metrics there. In my opinion you just don't have that in security."

Gold isn't alone. Increasingly, security professionals are dropping the goal of searching for ROI in favor of looking for better ways to communicate how security is making the most of its budget.

"I truly believe there is no real ROI," says Kevin Mandia, CEO of the security consultant firm Mandiant. "A lot of smart people have sat around trying to think about this for the last 10 years and nobody has come up with anything."

All you can do, he says, is detail the proactive things you've done to protect the company from identified threats, and when those thresholds are breached, discuss how fast you reacted to them.

Gold's philosophy is that as a risk management division, security is akin to insurance.

"Risk management is, I think, about insurance," he says. "Insurance doesn't have a P&L [profit and loss] associated with it. Insurance is what it is."
(emphasis added)

Bingo. There's nothing more to say, except for my Road House example.

The same issue features What pill can I take for cyber insecurity? by Kevin Mandia of Mandiant, my friend and ex-Foundstone leader. He concludes by saying:

I think most of us agree that the majority of folks on the planet desire a world where there is no "buggy" software, no backdoors, no cyber intruders and no discernable security flaws in our software. It is time to salute smartly and prepare to battle on. Defending America's cyber infrastructure is going to be a lot like trying to cure a complex disease. The oldest known description of human cancer is found in Egyptian papyri written between 3000-1500 bc, and 3,500 years later we still do not have a cure. I expect similar results for cybersecurity. We can treat cyber insecurity, we can survive it, but we must learn to live with the fact that there may not be a cure.

Kevin is right, although I am hopeful there will indeed be a cure for cancer one day. I like to look at the issue in this light, though. We have been building homes for the same period that Kevin mentions -- even longer. This morning a contractor visited my home to inspect our roof for water leaks. With homes having a multi-thousand-year history, wouldn't you expect to have an absolutely water-proof home by now?

The answer is yes -- if you are willing to pay for it. There are seldom solutions to any problems -- only trade-offs. If you're willing to add $50,000 (?) to the cost of your house, maybe you can have a 100-year roof. That's a price I'm not willing to pay, since this repair will be (only!) $575.

We could approach a similar level with "security" if we were willing to abandon general purpose PCs, operating systems, and applications, wait 10 years, and then operate within an extremely narrow and probably fixed set of features. We'd also have to pay a great deal more.

2 comments:

LonerVamp said...

In regards to the lack of real ROSI, does this also mean that risk analysis is also going to be a dying art? I guess to me, the hard part of figuring out ROSI would be putting a value on threats, vulnerabilities, etc. The cost of countermeasures is not hard to value (cost of equipment, maintenance, etc). Is that a similar track, or did I skip lanes a bit?

On a separate note, we've had people robbing homes for hundreds, thousands of years. You'd think we'd have solved this problem and made homes impenetrable. Well, sure, with enough money and controls.

wpn said...

I don't think risk analysis is dead; you do that all day, every day. I think it's just the "R" in ROSI that is dead. Nobody is asking for a return on investment in physical security, either.

I don't buy the "security as insurance" either. Insurance is what you buy to decrease your losses when your prevention fails. I think the best you can do is to lay out your risk analysis, do a performance-based budget, and show your predictable spending vs. your unpredictable spending. It's not exactly parallel with physical security, because you have to spend a lot more time on business-enabling development and testing. It's a weird mix of physical security and regular IT issues.