Wednesday, August 09, 2006

Notes from SC Magazine

The July 2006 SC Magazine features some blogworthy stories. From Working for Gold, we see more opinions that calculating security ROI is a waste of time:

In recent years, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 acronym of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day was ROSI — return on security investment. Analysts and security managers alike were struggling to find ways to measure security return on investment (ROI) and offer it up as proof to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir bosses and executive boards that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir money was being maximized. But cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 magic method to do this has never appeared. And some, such as André Gold, Continental Airlines' information security director, doubt it ever will.

"There are a lot of people out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re who want to turn cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information security department into a profit and loss (P&L) entity and I don't think you can do it," Gold says. "I ran our ecommerce environment for almost seven years and it was really easy to do ROI-type of metrics cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re. In my opinion you just don't have that in security."

Gold isn't alone. Increasingly, security professionals are dropping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 goal of searching for ROI in favor of looking for better ways to communicate how security is making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most of its budget.

"I truly believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no real ROI," says Kevin Mandia, CEO of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security consultant firm Mandiant. "A lot of smart people have sat around trying to think about this for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last 10 years and nobody has come up with anything."

All you can do, he says, is detail cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proactive things you've done to protect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company from identified threats, and when those thresholds are breached, discuss how fast you reacted to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

Gold's philosophy is that as a risk management division, security is akin to insurance.

"Risk management is, I think, about insurance," he says. "Insurance doesn't have a P&L [profit and loss] associated with it. Insurance is what it is."
(emphasis added)

Bingo. There's nothing more to say, except for my Road House example.

The same issue features What pill can I take for cyber insecurity? by Kevin Mandia of Mandiant, my friend and ex-Foundstone leader. He concludes by saying:

I think most of us agree that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 majority of folks on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 planet desire a world where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no "buggy" software, no backdoors, no cyber intruders and no discernable security flaws in our software. It is time to salute smartly and prepare to battle on. Defending America's cyber infrastructure is going to be a lot like trying to cure a complex disease. The oldest known description of human cancer is found in Egyptian papyri written between 3000-1500 bc, and 3,500 years later we still do not have a cure. I expect similar results for cybersecurity. We can treat cyber insecurity, we can survive it, but we must learn to live with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re may not be a cure.

Kevin is right, although I am hopeful cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re will indeed be a cure for cancer one day. I like to look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue in this light, though. We have been building homes for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same period that Kevin mentions -- even longer. This morning a contractor visited my home to inspect our roof for water leaks. With homes having a multi-thousand-year history, wouldn't you expect to have an absolutely water-proof home by now?

The answer is yes -- if you are willing to pay for it. There are seldom solutions to any problems -- only trade-offs. If you're willing to add $50,000 (?) to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cost of your house, maybe you can have a 100-year roof. That's a price I'm not willing to pay, since this repair will be (only!) $575.

We could approach a similar level with "security" if we were willing to abandon general purpose PCs, operating systems, and applications, wait 10 years, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n operate within an extremely narrow and probably fixed set of features. We'd also have to pay a great deal more.

2 comments:

Unknown said...

In regards to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lack of real ROSI, does this also mean that risk analysis is also going to be a dying art? I guess to me, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hard part of figuring out ROSI would be putting a value on threats, vulnerabilities, etc. The cost of countermeasures is not hard to value (cost of equipment, maintenance, etc). Is that a similar track, or did I skip lanes a bit?

On a separate note, we've had people robbing homes for hundreds, thousands of years. You'd think we'd have solved this problem and made homes impenetrable. Well, sure, with enough money and controls.

Anonymous said...

I don't think risk analysis is dead; you do that all day, every day. I think it's just cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "R" in ROSI that is dead. Nobody is asking for a return on investment in physical security, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r.

I don't buy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "security as insurance" eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. Insurance is what you buy to decrease your losses when your prevention fails. I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best you can do is to lay out your risk analysis, do a performance-based budget, and show your predictable spending vs. your unpredictable spending. It's not exactly parallel with physical security, because you have to spend a lot more time on business-enabling development and testing. It's a weird mix of physical security and regular IT issues.