|
Ron Lepofsky
The way to get the
executive team to pay attention is to
provide a quality ROI on any new initiative.
If the boards of directors can't understand
the needs of various departments then
the only way to their pocketbook is
to present them with a bottom line return
on their investment.
In
the case of procuring a security budget
executives are often less than forthcoming
because of the lack of information they
receive from department heads. Boards
of directors and executive teams respond
most favourably to requests for information
security budgets that are cost justified
with a simple ROI business case.
The
business case needs to specifically
show how potential costs associated
with liability, caused by security breaches,
may be minimized by implementing a sound
security infrastructure. This can be
accomplished by allowing a third party
to do a security audit that provides
evidence of security risks.
This
approach of utilizing an ROI to cost
justify a security budget is the same
premise used to purchase insurance for
commodities like office furniture, computers,
etc. The difference is that if a security
breach occurs as a result of not implementing
the proper protection procedures, the
associated costs far outweigh the costs
to replace furniture.
The
potential liabilities, such as loss
of production and/or loss of reputation
are translated into actual dollars in
the ROI. The security budgets are created
by taking a small percentage of the
cost of the potential losses and applying
it to preventative measures.
As
such this calculation of ROI is actually
a calculation of the percentage of the
cost to avoid the cost of liability
compared to the potential cost of liability.
This is similar to the methodology for
calculating the financial benefit of
insurance for commodities such as office
buildings, furniture and computers.
Since
the cost of a security infrastructure
often falls within about the same price
ratio of commodity insurance, one would
think this cost justification would
be easily sold to an executive committee.
This
is often the case, particularly when
the business risks identified in the
business case are based upon hard evidence
of actual security risks. Actual security
risks can be identified by evidentiary
security audits. These audits are
performed by impartial third parties,
with an expertise in identifying both
technical and policy risks.
Methodology
of calculating ROI
There
are three components to the ROI calculation:
-
Identifying
actual security risks and translating
them into quantifiable business risks.
-
Identifying
how to mitigate the security risks,
and determining the associated cost.
-
Calculating
the ROI as the per cent of cost of
mitigation divided by the cost of
the risk.
The
first step in identifying security risks
is to identify security vulnerabilities,
which can occur when there are technical
and policy flaws. As a result, a network
can be compromised in order to create
a security breach. A typical risk scenario
could be an incorrectly configured firewall,
which could allow an Internet intruder
to gain access to a corporate server
containing Sarbanes-Oxley related financial
files. The risk situation is exacerbated
because the server software has not
been patched (maintained)
since the latest security threat made
the server vulnerable to a security
attack.
The
example of a security risk scenario
above deals with security vulnerabilities,
which would be found with one family
of audit steps, called external audits.
In order to not mislead the reader,
it is important at this juncture to
understand that there are four different
families of audit steps, which in turn
are subsets of one classification of
audits called evidentiary audits.
For
clarity, best practice based audits
deal with compliancy to standards such
as ISO 17799.
These
are high level standards and do not
deal with the detailed implementation
of an actual network. In contrast, an
evidentiary audit identifies actual
proof of existing risk. An analogy might
be that a standards audit defines "how
to...." And an evidentiary audit
defines "what is..."
An
evidentiary audit may be comprised of
four steps:
a.
Employee Behaviour
Risks
are identified relating to social engineering
(ability to dupe an employee into giving
information or physical access to an
unauthorized third party) and identifying
the critical control information "keys
to the kingdom" held by the IT
department.
b.
Network External
Risks
are identified from the perspective
of how a network appears to potential
Internet intruders or to potential wireless
intruders.
c.
Network Internal
Risks
are identified relating to how employees
attract liability by their Internet
misuse; how servers, firewalls, and
all other devices are configured and
deployed; IT procedures; etc.
d.
Physical
Risks
relating to "locks, doors, fences,
fire, intrusion, etc. (A physical audit
overlaps an employee behaviour audit.)
A
crucial element of identifying security
vulnerabilities is to also document
the evidence of how the vulnerability
was found. This evidence should be conveyed
in a clear manner, such that an independent
third party could verify the evidence,
much in the way a financial auditor
would review an audit trail.
At
this stage the security vulnerabilities
are described in very technical terms,
and of absolutely no use to an executive
team who may be asked to provide funds
to mitigate the risks. In order to develop
this raw intelligence into a business
case, it is therefore necessary to translate
these technical security vulnerabilities
into business risks.
In
the scenario above, the business risk
would be that financial data is at risk
of being modified, stolen, or deleted.
The associated resulting liabilities
could be:
-
Contravening
Sarbanes-Oxley by using corrupt financial
data, resulting in damage to the reputation
and stock price.
-
Using "inside" information to
manipulate stock prices, again resulting
in damage to reputation and the stability
of a stock.
-
Early
disclosure of financial reports, again
damaging reputation.
The
next step is to quantify the costs associated
with the risks, should they become reality
and actual liabilities. A simple, time-effective
method of allocating costs is by using
an "executive straw pole," for the executive team to estimate potential
downside costs.
Identifying
risk mitigation and associated costs
A
security audit should not only identify
the security risks, but should also
provide high-level recommendations to
remedy or to mitigate the risks. These
recommendations can of course be augmented
by a CIO or CSO who deems the recommendations
as strategic to a larger security plan.
The
CIO or CSO can then request price quotations
from various vendors of security technology
and security services, as input for
the ROI business case. The total of
these costs are the mitigation costs.
The
totals of the cost of risk and the mitigation
costs are used in the following formula:
ROI
= % mitigation costs divided by the
cost of potential risk
Outsourcing:
an alternative to security technology
acquisition
Executive
teams of course always want the best
ROI for any project, and optimising
security technology is no exception.
Pitfalls for acquiring technology with
a penchant for becoming obsolete before
it is installed are obvious and often
become sources of embarrassment for
the recommender. This problem is often
exacerbated with delays or difficulties
with implementation and tuning of sophisticated
technology.
Therefore
it is useful to consider outsourcing
the security services with the associated
features and benefits as a low risk,
cost effective alternative to acquisition.
Some
outsourcers will provide a pilot project
as a proof of concept of the entire
project, which can then gracefully be
increased in scope to full production.
This step minimizes the time to implement
and the embarrassment of acquiring technology
that is never actually implemented.
The
cost of outsourcing also covers other "soft costs" which quickly
can become hard costs upon implementation,
such as training and managing and monitoring
the technology.
Outsourced
services can be immediately expensed
in most jurisdictions, from a tax perspective.
Purchased
technology may become obsolete and replaced
before it is even fully depreciated
on the books. Similarly, if technology
is leased, the lifetime of payments
may persist past the actual lifecycle
of the technology.
Compare
purchase vs. outsourcing costs
-
Capital
costs of security technology
-
Term
of technology depreciation vs. lifecycle
-
Manpower
costs to manage and monitor
-
Trial
costs vs. cost of making an error
Account
for lifecycle of technology vs. term
for depreciating capital expenditures
on security technology
Creating
an ongoing ROI cost justification process
Fundamental
to ensuring an ongoing adequate security
budget is keeping the executive committee
fully engaged in the security process.
It is incumbent upon the CIO and CSO
to educate their executive peers on
the principle that security is an ongoing
process, and not a one-time event.
As
such, as the CIO and CSO successfully
implement security infrastructure, it
is critical they report on the results
in terms of the initial business case
used to cost justify the process. This
can be successfully accomplished by
proving with a business case that the
investment in security had the planned
payback.
Conclusion
and call to action
Obtaining
an adequate incremental security budget
does not need to be sidelined until
the next security event or until the
next year's budget. CIOs and CSOs can
compel executive teams and boards of
directors to make funds available, with
the appropriate ROI business case.
The
most convincing case is based upon real
life evidence of risks faced by heir
organization, and a financial plan of
how to mitigate these risks. It is important
to involve the executives in the process
by asking for their participation in
a straw pole to determine the costs
of risks becoming realities. In doing
so, the responsibility of addressing
the corporation's security needs clearly
becomes an executive decision that cannot
be avoided.
Executives
understand risk and dollars. Those are
the only terms with which to describe
an ROI information security budget request.
Ron Lepofsky is President and CEO
of ERE Information Security
|
