Thursday, December 11, 2008

Jeremiah Grossman on Justifying Security Spending

I liked the way Jeremiah Grossman listed five ways to justify security spending:

1) Risk Mitigation
"If we spend $X on Y, we’ll reduce of risk of loss of $A by B%."

2) Due Diligence
"We must spend $X on Y because it’s an industry best-practice."

3) Incident Response
"We must spend $X on Y so that Z never happens again."

4) Regulatory Compliance
"We must spend $X on Y because PCI-DSS says so."

5) Competitive Advantage
"We must spend $X on Y to make the customer happy."


Jeremiah expands on each in his blog, which makes for good reading.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

2 comments:

PepperSprayKing said...
This comment has been removed by a blog administrator.
Michael Cloppert said...

3) Incident Response
"We must spend $X on Y so that Z never happens again."


I think this is misleading. While one of the questions answered by an incident response process is "how", often the most important questions that need to be answered are "what" and "how much". IME, the "how" is most often via known vulnerabilities - be they technical or human - resulting from process, visibility, or training gaps. In other words, issues that will always exist.

That said, if intelligence on the perpetrator of an incident is properly collected and leveraged, IR can be an effective prevention mechanism as well (I like to call it "intelligence-driven response"), but few outside the defense industrial base seem to do it well. Measuring IR solely in terms of prevention will not demonstrate the true return on investment, which will undercut the entire function in reduced funding and organizational focus.

Incident Response is best measured in terms of triage (response/detect time), guidance to focus infrastructure efforts, and prevention.