Ways to Justify Security Programs: 13 Cs

My last post Forget ROI and Risk. Consider Competitive Advantage seems to be attracting some good comments. I thought it might be useful to mention a variety of ways to justify a security program.

I don't intend for readers to use all of these, or to even agree. However, you may find a handful that might have traction in your environment.

  1. Crisis. Something bad happens. Although this is the worst way to justify a program, it is often very effective.

  2. Compliance. An external force compels a security program. This is also not a great way to justify a program, because resources are often misallocated.

  3. Competitiveness. Please see my previous blog post.

  4. Comparison. If your company security team is 10% the size of the average peer organization size, it's not going to look good when you have a breach and have to justify your decisions.

  5. Cost. It's likely that breaches are more expensive than defensive measures, but this can be difficult to capture.

  6. Customers. It seems rare to find customers abandoning a company after a breach. People still shop at TJX brands. Still, you may find traction here. Compliance is supposed to protect customers but it often is insufficient.

  7. Constituents. I use this term to apply to internal parties. Large companies often provide services to other business units.

  8. Controllership. Is your organization well-governed? Can it account for the state of its systems for auditors and so forth?

  9. Conservation. This is a play on "green IT." What has a lower carbon footprint: 1) flying consultants all over the world to handle incidents, or handling them remotely by moving data, not people?

  10. Consolidation or Centralization. These themes are likely to enable specialization, more effective internal resource allocation, and improve defenses.

  11. Confidence. Confidence applies to all parties involved. Can you trust your data?

  12. Counting. This is a plug for metrics.

  13. [Securities and Exchange] Commission. This is a play on the 10k- forms shareholders receive in the mail. Please see the linked post for more details.

Comments

gunnar said…
wrt customers - focus on customers is bigger than just consumer credit cards (TJX). For one example, I am guessing the small businesses that Krebs has been reporting as losing 5 and 6 figures will be seeking other places to store and process their funds.
3:32 PM
The Ubiquitous Mr. Lovegroove said…
Cover [Your Ass]: This is the only reason government and very large entities ("Too big to fail/punish")implement security. As a security consultant I've dealt with a few large (for my country) government entities and they don't care about security - protecting citizens' and corporations' data. They care if they will loose their jobs or how much screaming the governing minister will exert at them.

If I can convince that the brown-matter storm will be big enough, they might spend some on security.
3:49 AM
Chris Blunt (Axenic) said…
Chance: Understand and manage the risk to your organsation.
4:34 AM
itAuditSecurity said…
It's a lot easier to justify KEEPING security than justifying starting it or expanding it.

These are good points, but I've seen them fail to work other than in the KEEPING realm.

I remember one company, where after I cleaned up a breach and recommended a myriad of changes (again), the executives wiped their brow and said, "Boy, were we lucky they didn't get the credit cards."

And nothing changed.
7:01 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more