[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <OF1AEE64AB.29A101CD-ONCA2571F4.0057644E-CA2571F4.005A4443@au1.ibm.com>
Date: Tue, 26 Sep 2006 02:26:01 +1000
From: Benjamin Robson <ben.robson@...ssicblue.com.au>
To: "Kenneth F. Belva" <ken@...security.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
full-disclosure-bounces@...ts.grok.org.uk
Subject: Re: Could InfoSec be Worse than Death?
Ken,
I think your premise is based on a couple of pieces of flawed thinking.
Firstly, your statement, "After all, information security doesn’t make
money–it only spends." in my experience is actually incorrect. An
effective information security outcome actually will save a company a
significant amount of money. In my experience achieving an effective
information security outcome for an organisation is more based on policy
and procedure than it is through the implementation of technology. There
are plenty of examples of organisations that are running with little or no
security toolkit that are not exploited, achieving their security outcomes
through effectively implemented, maintained and followed policy and
procedures.
It is through these policies and procedures that companies can save
themselves significant money. When an effective policy and procedure set
is in place the organisation does not gain a security outcome because some
document says "thou shalt do things securely", it achieves a security
outcome because specific behavioural requirements are stated and
procedures provide how to meet these requirements. This proceduralisation
of steps to achieve the requirements means that overall operational
quality is improved, reducing the risk to the operational status of the
business overall, and allows cheaper less skilled staff to be utilised for
more scheduled, operational duties. It does not remove the need for
higher end technical skill-sets, but it means that instead of having a
$100Kp.a. staff member creating email accounts off-the-cuff the
organisation can have a $50Kp.a. staff member creating email accounts
reliably by following the documented procedures.
So information security outcomes should not be presented as a cost-base
for an organisation, but as an operational overhead reducing mechanism
that has the added bonus of reducing the operational risk to the business
and also the reduction of the information security risk as well. In other
words the company saves money as well as improving reliability and
security. How could a CFO not like that?!
Secondly, in answer to your question "Why is it so hard to convince
management to spend on security?", I would say because the language
information security professionals use is so foreign to the audience as to
be ineffective. When a C** level person, Director or other company
executive meets a member of the IT staff the first thing that happens,
shortly after the IT person opens their mouth, is that the C** level
person, Director or other company executive's mind switches off the
listening mechanism and ponders things more familiar to them. They are
typically not capable nor interested in the ins-and-outs of why something
happens, only when can they have a particular capability or when is it
going to be fixed.
The reason for this is because these people do not exist in a world of
technology detail or implementation. They live in a world of revenue,
cost, P&L, assets and business risk. What this means is that we, as
security professionals, need to adapt our language to be that which they
can understand. For example, instead of talking about servers,
workstations, disk, etc... we need to talk in terms of Information Assets.
When talking of information security outcomes we need to talk in terms of
Information Asset Protection, and Business Risk mitigation. These are
concepts that are easy for them to grasp. So when speaking of needing
budget for a specific project one should not highlight the features it
brings and how wonderful the blinking lights are, but should speak in
terms of the current business risk that exists, the potential impact on
the operational status of the organisation (including costs if
quantifiable), and how much the project will save the organisation
relative to the cost.
For example, if looking to sell a Security Policy development project,
demonstrate that without adequate policy sets the organisation's staff
have no clear definition of what is required of them that is linked to the
organisation's business planning. Show how by effectively defining the
organisation's needs through the policy set, procedures can be derived to
meet these needs that will allow the organisation to reduce the
operational overheads of the organisation through the ability to use less
skilled resources and the improvement of quality in outcomes. If looking
to establish an anti-spam project, demonstrate how such a project can
reduce the risk to the operational environment, improve productivity,
reduce exposure to litigation through inappropriate materials and
potentially lower the bandwidth costs of the company.
The trick to engaging with the cheque signers within the organisation to
achieve security outcomes is to demonstrate a cost benefit to the
organisation and to speak in terms that are common to business management.
Not to make it more complex through the introduction of more detailed
language frameworks such as "Virtual Trust". I mean without reading the
background documentation I (having worked in this space for almost 8
years) have no idea what is specifically meant by the term "Virtual Trust"
(I can take a guess, but until I read the documentation it is just a
guess). So if you walk up to a CEO and say "Hey boss, I'd like to talk
about Virtual Trust", I don't think your going to get 100% of his
attention, as apposed to going "Hey boss, I'd like to talk about reducing
this business risk whilst reducing our operational costs."
--
Benjamin M.A. Robson
Senior Security Consultant
Classic Blue Solutions
134-142 Ferrars St, Southbank
Victoria, Australia, 3006
Phone: +61-(0)3-9684-3104
Mobile: +61-(0)434-149-022
Fax: +61-(0)3-9682-8680
"Kenneth F. Belva" <ken@...security.com>
Sent by: full-disclosure-bounces@...ts.grok.org.uk
25/09/2006 10:05 PM
To
bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
cc
Subject
[Full-disclosure] Could InfoSec be Worse than Death?
[From: http://www.bloginfosec.com]
Our current way of viewing information security is loss prevention. It
is an insurance model. And, although insurance is useful and necessary,
senior managers are not likely to spend one dollar more than necessary
to obtain the needed protection. After all, information security doesn’t
make money–it only spends.
Why is it so hard to convince management to spend on security?
This is not a new problem. In Woody Allen’s 1975 classic “Love and
Death”(1), he writes: “There are some things worse than death. If you’ve
ever spent an evening with an insurance salesman, I’m sure you know
exactly what I mean!”
There is an alternative: Virtual Trust(2) as an information security
model. According to the Virtual Trust model, security actually creates
business and generates revenue.
The VT model can be expanded to describe the breakdown of all modern day
computing (via worms, viruses, phishing) since these nefarious
activities weaken trust. VT can also explain positive business changes
such as the creation of digital assets via DRM (iTunes, Unbox) whereas
the insurance model cannot fully.
(1) http://en.wikipedia.org/wiki/Love_and_Death
(2) http://www.ftusecurity.com/pub/VT-belva-dekay-final.pdf
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped
Content of type "image/jpeg" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists