Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

How much should you spend on security?

By

(c) Dreamstime / Mosich.com

I regularly get asked by new CISOs for information – benchmarks – on how much organizations like theirs should spend on security.  That’s a deceptively simple question, and while there’s plenty of surveys that you can reference, none of them provide more than a rough starting point – there’s just too many variables.

The classic measure, ALE=ARO*SLE, is a nice fiction when it comes to cybersecurity.  Sure, we all learned it for the CISSP exam – Annual loss expectancy equals annual rate of occurrence times single loss expectancy.  Put simply, if there’s 100 houses in your neighborhood, and 10 burn down a year, that’s a 10% ARO.  If it costs $100K to rebuild the house (we’re ignoring the land and possessions here), then the single loss expectancy is $100k. Multiply and we get $10K per year, so spending up to that amount on fire prevention makes sense.   Over simplified, but you get the gist.

When it comes to a breach, things break down.  Looking at SLE first, there’s hard costs (fines and settlements, and cost of response), soft costs (brand damage).  So far so good – we can calculate the former with a fair degree of accuracy, especially with GDPR and the new California and Colorado legislation.  Soft costs are more difficult, and there’s some argument to be made that they’re much lower than most studies would claim.  Target, Home Depot, Anthem, Equifax, and all the rest may have taken a short term hit, but lasting brand damage has been hard to find, let alone calculate.  Still, for arguments sake, let’s stipulate that we can get to some reasonable semblance of a number.

Where things break down is on probability – annual rate of occurrence.  These concepts came from risk management techniques used to price insurance and similar financial vehicles.  We have a decent historical knowledge of the frequency and severity of accidents, fires, floods, hurricanes and so forth.  While any given event may be an unexpected black swan to an individual, at a population level, the actuarial data is quite sound.

But cybersecurity isn’t there yet.  We’re just at the beginning of the storm and most events are still a black swan even at the population level.  Sure we all know that we’re targets, but our sample size isn’t large enough to do broad analysis that we can leverage.  That’s because unlike all of the other categories, with cyber we have active adversaries working against us.  And remember, they only have to get lucky once.  We have to be perfect – one failure and we lose.  Put it another way, to paraphrase my favorite Jedi Master – It’s data loss, or loss not.  There is no loss partial.

So are we out of luck? Not quite.  There are some things that can guide us.  First, there’s two baselines – audit and hygiene. Spend what it takes to pass the audit.  At the same time, there’s general things that every organizations should be doing today and would be considered negligent if they don’t.  Encrypting laptops, having a firewall, patching quickly, and so forth are more or less in that category.  Call it security hygiene.

Next, it’s time to do that data classification project you’ve been putting off.  Yep it’s hard, but you need at least a rough idea of where your crown jewels (close the door) and critical (expensive to lose) data are located.  Of course, you might need to really think about what those are before going to look (it’s not always what you think).  From that you can do rough calculations about cost of loss, and take what are called ‘commercially reasonable measures’ to protect the information. That’s a fuzzy concept, but there’s usually enough of an idea (and enough work to be done) that it’ll keep you busy for a couple of budget cycles.

Third, is awareness. Do you really know what’s going on in your environment.  Do you have good instrumentation sensors that tell you what’s going on, and can you collect and process that to detect anomalies?  SIEM is one part of it, but security intelligence goes much deeper. Once you have it of course, you need to be able to take action on it, but that’s another topic.

Next is the most amorphous one of all.  I commented recently on a post on LinkedIn, and noted that I essentially presume that all of my personal information is already gone.  I still try to protect it of course, but I can’t avoid doing business with companies that have either poor security practices, or have lost it to active attack (one doesn’t always imply the other) – mainly because I can’t control where my data goes.  That fox left the henhouse when my college professors posted grades by SSN outside their offices, and it’s only gotten worse from there.

So what do I mean by the amorphous one?  It’s the ethical and moral aspect.  How would you want your information protected?  Or your parents?  Or your kids? Ironically some of the best protected data (credit cards) is the least damaging to the person if it’s exposed. Losing a card number is annoying. Losing an SSN is a much bigger deal, but that has already happened for essentially everyone.  Losing medical records, well, that’s a whole different story. Ask any security professional in your organization and they’ll have a pretty good idea if you’re doing a reasonable job protecting information or not.

Last, is the reality check. How much can we afford to spend and stay in business?   How much can we not afford to spend and stay in business?

Put all those together and we have a decent working model to determine our security budgets.  It takes auditors and accountants, technicians and data analysts, attorneys and regulators.  But in the end, it takes a mirror – when we look into it, are we confident we’re doing the right thing for our shareholders and our customers (or products if you’re a data broker)?

How do you justify your security budget?

By

(c) Qingwaa | Dreamstime.com

As part of my day job, I get to talk with a wide range of organizations across many different industries, and annual budget time is just kicking off.  This year I’ve seen two intersecting trends:  a growing willingness (resignation?) from business owners that they have to pay much more attention to security and pay more for it, and second, a demand for some way to measure the effectiveness of that spend.  As one business leader asked, how do you tell the difference between an effective program and just plain luck?

It’s a tough question for a number of reasons.   After all, we have to be good 100% of the time, and our adversaries only need one solid success to undo all our work.  Teams are reporting raw counts of attacks thwarted, malware remediated, time to discover, time to remediate, records lost, and so forth.  Those are all important, but only show activity, not effectiveness and none get really to the cybereconomic case for the security investment.

The formal answer is that we should spend money less than or equal to the annualized loss expectancy for the asset involved:  ALE = Single Loss Expectancy * Annual Rate of Occurrence.  Sounds great, and you’re all set to pass the CISSP exam, but is that possible in the real world?  At the moment, I’d argue no.  While do have good data for some factors – the Ponemon Cost of a Data Breach study just came out (though the Anthem breach settlement will skew the next one), and a pretty good handle on the daily grind of malware, phishing and compromised accounts, the worst incidents don’t fall into those categories.

Both in severity and frequency, we are lurching from one black swan event to another.  You know, those company-jeopardizing, class-action-attorney enriching breaches.  I gave a keynote on cognitive security recently and attendance was down because NotPetya hit that morning.  No one predicted it, and there’s no way to predict when, what, or how the next one will hit.  Our best estimate is that things are getting worse, not better – more sophisticated, less frequent, more impactful, but as the SEC is fond of reminding us, past performance is no guarantee of future success – or failure.  We simply can’t predict the future.  Anyone who says differently should quit their security job and go work in the stock market.

All that makes the CISO’s life painful through the budgeting process – do you get more money if you were hit by Petya/WannaCry/NotPetya because you had insufficient capability, or do you get fired for blowing last year’s budget on an ineffective program?   That’s one of the reasons most CISO’s are focusing heavily on incident response, not just detection and prevention.  They’re also starting to step back and ask themselves if they’re getting good value for the investment – particularly in niche tools, or ones focused on yesterday’s threat (like signature based antivirus).  As for the budget itself, what I see most organizations using is a combination of baseline no-brainer capabilities, regulatory requirements, peer best practices to find the sweet spot for the ‘commercial reasonable measures’ budget target.    Right now, keeping up with the Joneses is a common target.  Or put it another way, we don’t have to be faster than the bear – we just have to be faster than the next guy running.