tag:blogger.com,1999:blog-4088979.post3195995558823948049..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: How Much to Spend on Digital SecurityRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-4088979.post-22666349145466719392009-06-29T18:17:10.859-04:002009-06-29T18:17:10.859-04:00Having the CISO report to the CIO only works if th...Having the CISO report to the CIO only works if the CIO supports and understands the importance of security. This directly relates to the culture of a company and can only be remedied (in my humble opinion) by direct reporting to Compliance or Operational Risk.<br />Unfortunately in an environment where the CIO marginalises security, it is far easier for projects to steam roll their way into the enviornmentKHnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-13261437192553173622009-06-23T11:21:50.193-04:002009-06-23T11:21:50.193-04:00From a company's perspective, they push $$$ in...From a company's perspective, they push $$$ into the various security programs only to learn later that they're still compromised! How does the company gain any confidence with security organization? (it's much like the weather forecast - how do we gain confidence in their next forecast?)<br /><br>A comment on your first guideline - like any good control system, you have inputs and outpits and need a way to monitor your system via some feedback mechanism. As you see your outputs "grow", you need a way to "tighten" the inputs. So, I don't believe you can ignore either input or output.Ricknoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-44594952014225024702009-06-20T23:37:06.006-04:002009-06-20T23:37:06.006-04:00Richard,
I think what you meant to say is spending...Richard,<br />I think what you meant to say is spending a lot on inputs without impacting outputs is adding insult to injury! B-)Barry Andersonhttps://www.blogger.com/profile/12717352429445608699noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-82860135178589908212009-06-19T09:20:20.451-04:002009-06-19T09:20:20.451-04:00Pete, when I said
"It doesn't matter ho...Pete, when I said <br /><br />"It doesn't matter how much you spend on security (inputs) if the organization is horribly compromised (outputs)."<br /><br />maybe I wasn't clear. I mean<br /><br />It doesn't matter how much you spend on security (inputs) if the end result is the organization remaining horribly compromised (outputs).Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-56295984202130138072009-06-17T10:10:17.725-04:002009-06-17T10:10:17.725-04:00As a healthcare organization, we are trying the &q...As a healthcare organization, we are trying the "CISO" as a dotted-line report to the CIO and the head of Compliance. This gives the position information from Legal, HR, Medical Records, etc. - through Compliance - and information from IT - through the CIO. In theory, this looks like a good solution. I'll keep you posted in practice on how this works out. Like you said, the jury is still out on where to position the CISO, and we've had numerous consultants give their opinions.marknoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-67329574735723356592009-06-17T00:05:34.834-04:002009-06-17T00:05:34.834-04:00Richard -
"...if the organization is horribl...Richard -<br /><br />"...if the organization is horribly compromised."<br /><br />This is a huge IF, don't you think? How much should you spend IF the organization isn't compromised? How do you decide the circumstances under which one or the other will happen?<br /><br />It is our profession in a nutshell, but to oversimplify like you have is much worse than the subjective jokes you call ROI and ROSI.<br /><br />(Btw, to suggest it doesn't matter how much you spend is easily refuted. Of course it matters.)<br /><br />PetePetehttps://www.blogger.com/profile/16425298556760151548noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-54531581947213749392009-06-16T08:41:56.458-04:002009-06-16T08:41:56.458-04:00Is there really such a thing as "ROI" wh...Is there really such a thing as "ROI" when you aren't actually getting money back? I think cost/benefit analysis is probably a better term since you never really get more money back in IT.<br />Lots of great comments here though!Captain Dudehttps://www.blogger.com/profile/07687319933637563005noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-15272995106325787082009-06-16T00:14:10.615-04:002009-06-16T00:14:10.615-04:00I don't think that the percentage of an IT bud...I don't think that the percentage of an IT budget dedicated to security is that important in determining an organization's overall level of security. Typically that figure is along the lines of 5-10%, but what matters much more is the amount of internal company resources and organizational capital that is dedicated to security. This broadened concept of spending is what we are trying to measure in the <a href="http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf" rel="nofollow"> OWASP Security Spending Benchmarks Project </a> referenced in the previous comment.<br /><br />I have felt for a while that companies are spending too much money on security and too little internal resources. For most organizations, building a secure product is ultimately more expensive which is one reason ROI/ROSI calculations aren't a good tool for the boardroom. The real reason to build appropriate security into products is the market and regulatory expectation that an organization have an overall security narrative. In this way security is not different than other narratives a company is expected to have - fair labor practices, community involvement, consumer protection, etc. If the security narrative is critical enough to the company, they will hire a CISO (although I think that this function <a href="http://www.boazgelbord.com/2009/05/do-companies-need-ciso.html" rel="nofollow"> is in decline recently</a>).<br /><br />So while I agree with the title of your post from a few weeks back (Cheap IT is ultimately expensive), I think that cheap security is often just that - cheaper. Of course this depends a lot on the industry and the product, but often security flaws are not exploited in a way that reflects back on the victimized company. Or in other words, companies don't necessarily get called out on bad security. As a result there is no money either saved or earned by slowing down a release and locking down an environment to make sure everything is secure. <br /><br />The lack of ROI doesn't imply that companies should build insecure products. There are some things that companies do not because they save or earn money but because they are a cost of doing business. In many industries security is precisely such a tax.Boaz Gelbordhttps://www.blogger.com/profile/11194694135586060649noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1149868838247648972009-06-15T12:57:13.691-04:002009-06-15T12:57:13.691-04:00Boaz Gelbord has been doing some research with reg...Boaz Gelbord has been doing some research with regard to Security Spending Benchmarks for OWASP.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-2161889864373517772009-06-15T11:42:17.031-04:002009-06-15T11:42:17.031-04:00It doesn't matter where a CISO sits as long as...It doesn't matter where a CISO sits as long as they are able to talk to the business, technology, operations, legal, HR, compliance, facilities and external regulators and have credibility.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-23894138707758135712009-06-15T11:38:40.632-04:002009-06-15T11:38:40.632-04:00I find it interesting how circular the 'IT Sec...I find it interesting how circular the 'IT Security budget' task can be. Some 'facts' in information security are tough to gather and some are easy. This however can have nothing to do with the outcome or expected control derived from the 'facts'. I think a strong model is to look at the spend required to gain a degree of certainty, offsetting the expected loss of not having the information. In other words, how much does it cost me to know how vulnerable my devices/networks/applications are, and by NOT knowing what could it cost me? I wish there was a formula, but most of the ones I have seen result in a divide by 0 error.scnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-84024442681678845902009-06-15T09:55:07.829-04:002009-06-15T09:55:07.829-04:00I agree with the comment the security is an aftert...I agree with the comment the security is an afterthought for most organizations and only rears its ugly head after a major incident and blame is being passed around. <br /><br />If your at a company that is at all serious about security, fence funding your IT security operations is the best approach. IT operations should not dictate spending on security as their missions are at odds with each other.<br /><br />Coming up with that budget number though is a difficult proposition as you have seen. Richard's guidance is very appropriate. I would add, that key to gaining budget is showing that you consistently drive projects to successful completion. Often times I see teams wasting money buying software/hardware and then never fully implementing them. Credibility at the executive management level is crucial.cghttp://cyberguardians.orgnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-24400508766956664772009-06-15T03:56:10.709-04:002009-06-15T03:56:10.709-04:00Unfortunately, many people stick to the saying &qu...Unfortunately, many people stick to the saying "if it ain't broke, don't fix it!" but this mentality when having to do with security is normally very dangerous.<br /><br />I think that in security (especially in IT Security) we need a proactive approach as you did with the 5-year plan, but not everyone does this - in most cases, security is considered a luxury and they only realise the importance of security once they fall victims to some attacks - but by this time, most of the damage is already done.GamSechttp://gamsec.wordpress.comnoreply@blogger.com