I regularly get asked by new CISOs for information – benchmarks – on how much organizations like theirs should spend on security. That’s a deceptively simple question, and while there’s plenty of surveys that you can reference, none of them provide more than a rough starting point – there’s just too many variables.
The classic measure, ALE=ARO*SLE, is a nice fiction when it comes to cybersecurity. Sure, we all learned it for the CISSP exam – Annual loss expectancy equals annual rate of occurrence times single loss expectancy. Put simply, if there’s 100 houses in your neighborhood, and 10 burn down a year, that’s a 10% ARO. If it costs $100K to rebuild the house (we’re ignoring the land and possessions here), then the single loss expectancy is $100k. Multiply and we get $10K per year, so spending up to that amount on fire prevention makes sense. Over simplified, but you get the gist.
When it comes to a breach, things break down. Looking at SLE first, there’s hard costs (fines and settlements, and cost of response), soft costs (brand damage). So far so good – we can calculate the former with a fair degree of accuracy, especially with GDPR and the new California and Colorado legislation. Soft costs are more difficult, and there’s some argument to be made that they’re much lower than most studies would claim. Target, Home Depot, Anthem, Equifax, and all the rest may have taken a short term hit, but lasting brand damage has been hard to find, let alone calculate. Still, for arguments sake, let’s stipulate that we can get to some reasonable semblance of a number.
Where things break down is on probability – annual rate of occurrence. These concepts came from risk management techniques used to price insurance and similar financial vehicles. We have a decent historical knowledge of the frequency and severity of accidents, fires, floods, hurricanes and so forth. While any given event may be an unexpected black swan to an individual, at a population level, the actuarial data is quite sound.
But cybersecurity isn’t there yet. We’re just at the beginning of the storm and most events are still a black swan even at the population level. Sure we all know that we’re targets, but our sample size isn’t large enough to do broad analysis that we can leverage. That’s because unlike all of the other categories, with cyber we have active adversaries working against us. And remember, they only have to get lucky once. We have to be perfect – one failure and we lose. Put it another way, to paraphrase my favorite Jedi Master – It’s data loss, or loss not. There is no loss partial.
So are we out of luck? Not quite. There are some things that can guide us. First, there’s two baselines – audit and hygiene. Spend what it takes to pass the audit. At the same time, there’s general things that every organizations should be doing today and would be considered negligent if they don’t. Encrypting laptops, having a firewall, patching quickly, and so forth are more or less in that category. Call it security hygiene.
Next, it’s time to do that data classification project you’ve been putting off. Yep it’s hard, but you need at least a rough idea of where your crown jewels (close the door) and critical (expensive to lose) data are located. Of course, you might need to really think about what those are before going to look (it’s not always what you think). From that you can do rough calculations about cost of loss, and take what are called ‘commercially reasonable measures’ to protect the information. That’s a fuzzy concept, but there’s usually enough of an idea (and enough work to be done) that it’ll keep you busy for a couple of budget cycles.
Third, is awareness. Do you really know what’s going on in your environment. Do you have good instrumentation sensors that tell you what’s going on, and can you collect and process that to detect anomalies? SIEM is one part of it, but security intelligence goes much deeper. Once you have it of course, you need to be able to take action on it, but that’s another topic.
Next is the most amorphous one of all. I commented recently on a post on LinkedIn, and noted that I essentially presume that all of my personal information is already gone. I still try to protect it of course, but I can’t avoid doing business with companies that have either poor security practices, or have lost it to active attack (one doesn’t always imply the other) – mainly because I can’t control where my data goes. That fox left the henhouse when my college professors posted grades by SSN outside their offices, and it’s only gotten worse from there.
So what do I mean by the amorphous one? It’s the ethical and moral aspect. How would you want your information protected? Or your parents? Or your kids? Ironically some of the best protected data (credit cards) is the least damaging to the person if it’s exposed. Losing a card number is annoying. Losing an SSN is a much bigger deal, but that has already happened for essentially everyone. Losing medical records, well, that’s a whole different story. Ask any security professional in your organization and they’ll have a pretty good idea if you’re doing a reasonable job protecting information or not.
Last, is the reality check. How much can we afford to spend and stay in business? How much can we not afford to spend and stay in business?
Put all those together and we have a decent working model to determine our security budgets. It takes auditors and accountants, technicians and data analysts, attorneys and regulators. But in the end, it takes a mirror – when we look into it, are we confident we’re doing the right thing for our shareholders and our customers (or products if you’re a data broker)?