One of the most challenging aspects of information security is right sizing the budget for such expenses in proportion to the overall IT budget for a company. That is, estimating the appropriate budget related to the level of risk that an organization is prepared to accept. Some company’s may believe that comparing the percentage of IT security expense used by their competitors or organizations within their business sector is a good way to estimate their own IT Security expense in terms of percentage of an IT budget. This type of pursuit can bring about a disconnect between the perceived level of risk to information security exposure an organization is under and what is reality. Many options exist for calculating the appropriate security expense with regard to risk. There is the Annual Loss Expectancy (ALE) which is calculated using the Annual Rate of Occurrence (ARO) multiplied by the Single Loss Expectancy (SLE), or the Return on Security Investment (ROSI) can be used along with the Total Cost of Ownership (TCO) calculation. Chief Information Security Officers (CISO’s) may need the values of these calculations to feel more comfortable with their security investments. Which brings up my challenging question of the day: is information security really an investment?
We should not forget that information security is a process which includes technology and, most importantly, people. For that reason, it is possible to consider the improvements of an IT Security program by evaluating the maturity level for an organization using a scale of measurement like Common Maturity Model Integration (CMMI) which provides different Capability Levels (0-Incomplete, 1-Performed, 2-Managed, and 3-Defined) and Maturity Levels (1-Initial, 2-Managed, 3-Defined, 4-Quantitatively Managed, and 5-Optimized)). We can also consider using common business improvement strategies like Six Sigma, which can be used to identify improvement possibilities using measured results to justify the cost of IT Security. Six Sigma involves the use of those valuable boxes connected with arrows to define how things are currently being done and how improvements can be made. The strategy provides steps that include Define, Measure, Analyze, Improve and Control. The first step in any improvement strategy is to define the metrics for which to collect, measure and analyze the current measurement for a baseline, and then improve and control meaning that the new processes should be implemented with ongoing analysis as needed. But there needs to be metric to monitor and analyze in order to determine improvement capability. Even if that metric to be measured is time to complete the process, it could be an important metric on establishing a current baseline on which to improve upon.
Another challenge in an information security program is collecting metrics that can be monitored for how well the program is working. If there is no Information security program for which to collect metrics, then establishing this should be a priority so that the focus can be on the right options for which to improve. It can start simply with the collection of number of systems being infected by a virus or worm (malware). In my opinion, if no metrics are collected and reported to upper management, there is no security program. These metrics are important part of determining options for improvement and allow for the appropriate justification of information security expenditures.
One good example of measured improvement can be found from one of Intel’s very well written White Papers on the subject of Security Investment or (ROSI) here: Measuring the Return on IT Security Investments.
Many countermeasures can be put in place at once in order to establish a good defense in depth strategy for the IT Security program. But if IT business value proposition is important, an approach that allows implementation of security countermeasures (or improvements) one by one can allow measurements to be taken and proper value to the organization can be assessed. Whether it’s CMMI to show increased maturity level in handling a security event, Six Sigma for improvements on the process, or ROSI that shows return on the initial security investment, all can be very beneficial to cost justification as they provide indicators on just how much improvement was achieved based on the metrics collected.
The truth, in my humble opinion, is that even though all of the calculations providing justification to information security investment have some subjectivity, they are very meaningful and necessary in allowing the appropriate communication to take place about risk mitigation. An organization’s obligation to protect its information assets is considered due diligence, and in some cases IT security controls are mandated under regulatory compliance. But unfortunately, many organizations are forced into a security program with the only purpose of satisfying regulatory compliance making it very difficult to measure business value. Security audits should only be used to verify security controls are in place and working properly, not to control the direction of a security program. Information security should be created with a defense in depth strategy in mind and the consideration of the data classification that needs to be protected. The organization’s culture plays a huge role in making strides with this and implementation of standards like ISO 17799/27002, NIST-800 series, and COBIT can also help in this strategy.
A strategy that focuses on IT Security improvements can be measured to show that it is an investment in the organization’s capability and maturity or that it is an improvement on the protection of information assets. As with any process, there is always room for improvement in IT Security. The IT Security program should be created to protect the organization and by determining the indicators for success, information security expenditures can not only be justified but can also be an investment in IT Business Value.