Recently I guest-blogged on the importance of learning how another person thinks. This week I had a chance to apply this lesson with a new decision maker. I learned that I need to develop a way for this executive to think about our security program. I discussed the situation with my wife and she suggested focusing on cost. I thought about this a little more and realized that was the right way to approach the problem.
Consider the following scenario. You're the mayor of a town. You need to decide how much of your budget to allocate to the fire department. To apply the most simplistic analysis to the problem, consider this scene. As mayor you give the fire chief a simple goal: "protect us from fires!" The fire chief asks you: "Mayor, on average, how fast do you want the fire department to respond to a fire?"
I am not an expert on fighting real fires, but let's think about a range of some possible answers.
- Option 1. Instantly. Literally as soon as a fire is detected, fire fighters are on site. Assume this level of response produces the maximum level of containment and preservation of property value, on average.
- Option 2. Within 15 minutes. Assume this level of response produces 75% containment and preservation of property value, on average.
- Option 3. Within 30 minutes. 50% containment and preservation of property value, on average.
- Option 4. Within 45 minutes. 25% containment and preservation of property value, on average.
- Option 5. Within 60 minutes. It's too late. With this timing, the property value is destroyed.
As mayor you're likely to first reach for option 1. After all, you want to preserve property value. However, the fire chief says "maybe you should consider the following data."
- Option 1 costs $64 million. Fire fighters are deployed at 16 locations.
- Option 2 costs $32 million. Fire fighters are deployed at 8 locations.
- Option 3 costs $16 million. Fire fighters are deployed at 4 locations.
- Option 4 costs $8 million. Fire fighters are deployed at 2 locations.
- Option 5 costs $4 million. Fire fighters are deployed at 1 location.
At this point you're starting to sweat. There has to be a way out of this situation! You decide that you can't afford option 1, or 2, or probably even 3. The recession is hitting your town hard. You ask the fire chief if there's a way to reduce the number of fires expected to occur, so that a smaller fire fighting force can react more quickly to fewer fires.
The fire chief switches from his fire fighter role to that of fire marshall. He says that is certainly possible, if the mayor wants to pick from one or more of the following options.
- Rebuild dwellings using fire-resistant materials.
- Inspect and rewire electrical systems, including aggressive, persistent monitoring for faults.
- Deploy advanced fire, smoke, and related alarms everywhere.
- Remove flammable materials from dwellings.
- Educate citizens on fire hazards.
- Ensure all citizens know how to contact the fire department, and have the means to do so efficiently and effectively.
- Plus a dozen more options...
You are probably getting the hang of this scenario. At this point the mayor needs to know the cost of each of the fire resistant methods outlined above. Let's not forget one other element: the fire chief asks the police chief to inform the mayor of the arsonist threat, and describes how dedicating counter-threat activities can deter and detain adversaries who set dwellings ablaze.
At the end of the day, the fire chief is presenting options to the mayor, and it's up to the mayor to decide how fast do we want to be able to respond to the fires that will happen, for how much cost.
(I underline the "fires that will happen" because that is the reality of life. Disasters happen, so you have to plan for them.)
For me, this is the best way to approach this executive. The fire chief doesn't get to decide how much money to spend on the problem. That's the mayor's decision. The mayor needs to make a budget choice, preferably with the fire chief's input, and then let the fire chief make the best resource allocation to meet the time goals requested by the mayor.
For me, time and cost are the best levers we can move in digital security. I can measure detection and response time for the incidents we handle. I can track how much money I am spending to meet those time requirements. If the mayor wants faster response time, the mayor can try to reduce the number of fires via fire marshall programs and/or apply more resources to the fire fighters.
Beyond measuring incident detection and response for real intrusions, you can use red teaming/adversary simulation to create metrics. You can say "for the money currently spent on our security resistance program, it takes a Red Team X number of minutes to accomplish Goal X. Is that acceptable?" If X minutes is unacceptable, you can again present cost-benefit analysis in order to derive a decision.
If you think you've heard this line of reasoning before (outside this blog), please check whether the other advocates have emphasized outcomes as I do here and elsewhere. I'm not saying "spend $10 million to achieve 95% patch compliance." That's an input metric. I'm talking about output metrics against real intrusion activity and adversary simulations.