Tuesday, August 28, 2007

DoD Digital Security Spending


I found the article Is IT security getting short shrift? to be a good reference for other large organizations contemplating digital security spending. In addition to the chart above, this text is illuminating:

Despite the growing number of attacks on military networks, securing enough money for information assurance programs is still a hard sell at the Defense Department, former Pentagon officials say.

“It’s been the source of enormous frustration,” Linton Wells said in a recent interview in which he recounted some of the difficulties he faced during his four-year tenure as principal deputy assistant secretary of Defense for networks and information integration...

[C]onvincing senior budget officials from the military services to spend money in that area is a continuing challenge, Wells said.

“What they say is, ‘Look, we’re all short on money for things we want to buy — ships, planes, tanks, whatever. Show me how this $2 million you want to put on this today is going to turn cell C17 from red to yellow to green in 2011,’” Wells said. “And that’s often a hard thing to do in information assurance.”

Wells said officials in charge of putting together the information technology security budget for DOD’s networks need better metrics for measuring return on investment for information assurance programs.

“We have not done a good job of making the case that a dollar spent here is going to lead to a quantifiable increase there,” he said.
(emphasis added)

I saw Dr. Wells speak at Black Hat Federal 2006.

I have three brief points.

First, I think the bold text is the problem. If I'm being asked to spend money to turn a spreadsheet cell different colors, of course I'm going to debate the value of that spending. The problem is that the metrics used in these situations largely don't matter.

Second, I would be interested in knowing how much of the DoD budget funds counter-intelligence activities. The majority of the serious problems DoD faces have a counter-intelligence function. The intent of the adversary's activities are no different now than they were in pre-Internet days. How much has historically been spent on stopping spies?

Third, it is sad to continue to see security treated as a separate function that has to justify its own existence in financial terms. Security does not make any money so it cannot possibly compete against business projects which do. This is not strictly the case in DoD because none of the military makes money, but it is certainly true of civilian industries.

8 comments:

Anonymous said...

I was at a three letter agency recently where someone was talking about putting in an new wireless detection solution. When they tried to fund it based off of IT security they received a ton of push back. When they presented it as a counter intel/classified data protection solution the checkbook opened up like a waterfall.

Keydet89 said...

What does it matter how much money is being spent and dog-eared for "IT security"? Are they stuffing the holes with $1 bills?

...security treated as a separate function that has to justify its own existence in financial terms.

Agreed, but that's not going to change until the culture changes. The culture of senior management is to say, "come dance for ME, entertain ME, justify this to ME, and maybe I'll give you some money for this." Instead, CxO's should be asking their security folks, "what have you done for me lately?" Until this changes, security will continue to have to justify it's very existence...even in the face of breaches, fines, and law suits.

What I'd like to see is the CEO that makes his security folks do their jobs, and then goes to the golf course and starts trash talking his buddies b/c they don't have security..."dude, you call *that* security??"

adviser said...

I would just like to congratulate for the great blog!

Marcin said...

Hello,

Could you clarify:

"If I'm being asked to spend money to turn a spreadsheet cell different colors, of course I'm going to debate the value of that spending. The problem is that the metrics used in these situations largely don't matter."?

Do you mean that, in such environment, the game of blinkenlights becomes important, than addressing the issue indexed by the cell c17?

Dave Funk said...

I personnaly think that it is time to put some more reality into the 'dollars spent on security' graphs. A very, very significant chunk of the money spent on security is spent on governance, not security. FISMA may have equated the two terms, but they are not the same thing. Some portion of dollars spent on governance improves security, much provides the work for auditors.

cheapest home owner insurance said...

Great post!

Marcin said...

@Marcin

The problem with being asked how spending money in security will turn one cell from red to green is because it's a bullshit question. The issue cell C17 is tracking is moot (especially when you're asked to justify), and will be the same color whether or not the security budget is $0 or $100 million dollars.

Marcin said...

Maybe. Every time I add an item to our budget, the first question director asks is "what is this" and than "why"? Sometimes it is to, effectively, switch something from red to yellow (compliance, SLA issues, self-assessment items).

In this case, it seems that there is a known deficiency - what, and now the remaining question is _why_ the $514M?

I do realize that defense spending and fund management can be... different, but asking "how will you use this money, and will I see the or a result" is anything but idiotic.

Without respectable long term project management, security becomes voodoo magic - people begin hand weaving with a rant about security in depth and how security is a process instead of answering basic questions about their budgets. In addition, most of popular (trade press) metrics (return on investoment or annualized loss expectancy) are plain stupid when used in IT security presentations - wrong tool for the job.

Again, I expect that Mr. Bejtlich is correct, andt that the cell color switching is a burocractic stupidity. Still, I would like to know which of the kinds it is.