Security strategy is as important as corporate strategy. Getting it right is critical. Learn how detailed cost/benefit information can lead to more effective security management decisions
Real-life stories abound about hapless CIOs and CSOs who breeze through the task of convincing their ambitious but spending-averse boards and CEOs of the value of CRM, ERP or wireless initiatives but struggle to get funding for the infrastructure and technology to secure them.
Of course when the inevitable happens - the major system is breached, the regulations are seriously, if accidentally, violated, the corporate reputation goes down the toilet or revenues start to plummet - it's often tmhe hapless CSO who wears the blame. Small wonder security executives stew when the message they hear loud and clear is that if they want the resources to manage security risks, they will have to somehow demonstrate a healthy return on investment (ROI).
No point telling the execs they should count reduced legal liabilities, fewer thefts and better employee morale as ROI savings - they're just not equipped to think that way. To many executives, ROI ain't ROI unless it delivers awesome cost savings or new business returning more to the organization than the original investment.
So convincing executive management of the merits of a stable and secure network infrastructure is tough enough. Selling them on network security initiatives can sometimes seem almost impossible.
"The business case issue around security is still a very real one in Australia, and part of this is because of the lack of ability to translate the impact, or potential impact, of a security issue to the business," says KPMG Australia associate director Rob Goldberg. "And so there is, unfortunately, a number of organizations - from the large end of town all the way down to the SMEs - who haven't been hit who are kind of sitting there thinking: 'Well it hasn't happened to us, so why should I make this investment?'"
In fact it currently seems like there are two types of organizations in this world: the ones who resist spending on security because they have yet to be hit, and those who see security investments as so inevitable they never even bother to consider an ROI case. Still, in many organizations how to justify security investments throughout the development cycle is becoming such a thorny issue that a new group - the Application Security Industry Consortium - formed last year just to tackle it.
Comprising representatives from Microsoft, SAP, Oracle, Red Hat, Gartner, the Florida Institute of Technology and others, the group is mapping security measures to business needs, and tracking other issues dear to the hearts of CEOs and CIOs. Manufacturing Business Technology reports APPSIC hopes to move the debate well beyond the use of scare tactics traditionally used to justify security investments.
"We have two specific goals: to provide metric guidance, and deliver a methodology for evaluating platform and application security," says APPSIC chairman Herbert Thompson, who is chief security strategist for technology and services provider and consortium member Security Innovation.
"Among the challenges are to show value for security activities when we're building software, and to show customers how to determine value when they're buying."
"We're trying to get people to understand security associated with software applications" says IDC research director Charles Kolodgy, a fellow APPSIC member. "Perimeter security has improved, and as people deploy more defences in different areas, hackers have decided to attack applications much more than they used to. We're attempting to assess the risk of applications and find meaningful metrics for security."
Doug Jacobson, Director of the IOWA State University Information Assurance Center, concurs. "Security is like insurance: it's hard to justify," he says. "APPSIC is bringing that to the forefront by seeking models that people can use to demonstrate potential ROI. This would go a long way toward making applications more secure."
That "security-as-insurance policy" is a metaphor Cutter Consortium contributing writer John Berry is entirely comfortable with. Any value from security measures stems mostly from the costs and negative impacts the buyer manages to avoid by warding off catastrophe, Berry notes in a paper called ROI Analysis of Enterprise Risk Management and Governance.