In the first part of this discussion, "Walking the Talk," we concluded that the lamentable state of a typical enterprise security strategy is a result of uncoordinated investment in their security ecosystem.
In fact, if you want to understand the reactive way most enterprises handle data security, the Whac-a-Mole game can help you visualize the process. When a company security ecosystem is breached, the company directs money toward fixing the breach and seeing that it works. If the breach is severe or embarrassing, the CIO or CISO is asked to "do the right thing." The company repeats this process as often as needed.
In short, most enterprises don't seem to have any semblance of a cohesive, security strategy.
Smoke and Mirrors
When I started to understand how companies typically fund security, I kept hoping my conclusions were wrong. Unfortunately, the deeper I looked, the more obvious it became that there's a paradox between the typical hysteria surrounding security breaches and what companies are actually willing to spend to prevent them.
Let's take a look at Figure 1, which shows what most companies spend on data security.
Figure 1: Median Security Spending
On average, CISOs are allocated a consistent 2 percent of their organizations' IT budgets for security spending. If IT budgets are dropping, then we can conclude that associated security budgets may be dropping as well, in real dollars.
Some caveats to this conclusion are appropriate:
- First, it's important to recognize that security budgets vary by industry vertical, and size of the company.
- Also, there may be elements of security spending that are buried in specific projects and not visible as this data is collected.
- Over time, the more mature the enterprise's security strategy, the more they spend on security.
To be completely fair, Gartner's Research Note titled: IT Security Budgets and Staffing Projections for 2012: Constant Demand and Constant Spending that was published March 8, 2012, shows a higher level of median security spending in surveys of its customers. However, it also indicates that security is ranked as a very low priority for CIOs in 2012 (No. 10 out of 11 categories).
This all seems very puzzling. To my knowledge, no group or professional body suggests we're winning the security wars, yet related enterprise budgets and priorities strongly suggest that security is, at best, overhyped or, at worse, not a real business priority.
To successfully confront cloud security, we need to understand and resolve the paradox between the need to mitigate security risk and the investment companies are prepared to contribute to it. Towards that end, let's look at Figure 2.
Figure 2: Security Investment Paradox
First, understand that the concept behind the Security Investment Paradox is a work in progress. One component of the curve focuses on the popular perception that your first investment dollar gives you more than your last investment dollar. Thus, a CFO or LOB could rationalize that they are getting "good enough" security for what they could afford to spend. Arguably, this approach may have been acceptable when the enterprise was a self-contained security framework (i.e., in pre-cloud days), but it is absolutely not sustainable when you're relying on others to provide security coverage.
The second concept in the model is that the two points on the curve (Affordable and Actually Needed) were both defined by factors largely outside the decision-maker's scope. The difference between the two represents the inconsistencies between securities spending and adequately addressing the threat.
Throwing money at the issue by buying more signatures or more capable intrusion detection systems (IDS) isn't as important as understanding the impact of various mitigation steps such as:
- Employee education
- Understanding your control bypass rate
- Developing a security strategy
Measuring the Value of Security Investments
To begin to understand how to best invest in cloud security frameworks, you must recognize three rules:
1. Security solutions add no intrinsic value to your business unless you can demonstrate savings, cost avoidance, and improved user experience.
2. Security return on investment doesn't follow the classic bell curve model that your CFO or LOB groups associate with hardware and software purchase. Expect push-back.
3. Breach exposure-categorized as malware, hacking, social, misuse, error, physical, and environmental-occurs across your entire defensive perimeter (i.e., data center, communications, end-user devices). To invest wisely in your defense strategy, you must understand the who, what, which, and how of these breaches and the related bypass rates.
Next, you must define risk and your defense layers. As discussed in our last post, enterprise risk is a simple concept comprised of acceptance and management. Unfortunately, you can't affordably protect everything and you certainly can't protect everything well once it moves to the cloud.
Almost 50 years ago, McGeorge Bundy, an advisor to President Kennedy, observed a tendency to protect all information as if it were top secret.
"The moment we start guarding our toothbrushes and our diamond rings with equal zeal," he said, "we usually lose fewer toothbrushes and more diamond rings." ¹ It seems this observation still has value.
In my next blog, I'll begin to explore the business issues surrounding security and introduce a means for you to approach security using an investment framework in use at Intel.
I'm interested in feedback regarding how your organization funds security. To join the conversation, please contact me through Twitter.
Bob Deutsche provides business and technical advisory services as well as thought leadership to mid- and senior-level executives in the Global 50 and public sector. With 30 years of experience in industry, Bob's background includes centralized and LOB IT organizations, data center operations, software development, and CIO positions. Bob is a retired Lt. Colonel in the U.S. Air Force and holds a Master's of Science in Systems Management from the University of Southern California, Viterbi School of Engineering.
The above insights were provided to InformationWeek by Intel Corporation as part of a sponsored content program. The information and opinions expressed in this content are those of Intel Corporation and its partners and not InformationWeek or its parent, UBM Techweb.
¹ Joel Brenner, "America the Vulnerable, Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare, The Penguin Press, 2011, Page 211