How your Boss can put a Dollar Sign on your Cyber Security Policy
Jun 12, 2015
This is a guest blog post. Views expressed in this post are original thoughts posted by Chris van ‘t Hof of Tek Tok. These views are his own.
Perhaps you are one of the people who suspect hackers are knocking on the digital doors of your organization. You are probably right. But have you ever tried to convince your management team that your organization should spend more on cyber security measures? If you are a Chief Information Security Officer, you probably have to, even though it is the worst part of your job. If your organization has never been hacked, you have either done your job well, or just got lucky, but no one sees the need for improvements. Crying “cyber apocalypse is near” will only help for a while. Claiming they will just have to trust you on this one too. And in the event your organization finally is hacked, you are to blame it’s to late…
How to convince the management board cyber security is, just as any policy, a matter of planning and analyzing the cost and effects of measures? You build a model and that’s just what the RAND Corporation did. “The Defender’s Dilemma. Charting a Course Toward Cyber security” (June 2015) is a study they performed for Juniper Networks. It describes interviews with 18 CISO’s, a literature review, security tools in use and their model. Although their empirical base is quite thin to provide an overview of the present state of cyber security in general, the model is a handy tool to analyze your own.
It works quite simply; you fill in a questionnaire and the model calculates how your spending on cyber security (training, tools, measures to separate connections, etc.) balances out with the costs of a cyber attack that is typical to occur at an organization like yours (size, value of data, resilience, etc.). Off course these calculations are far from reality, as the model is based on just so many assumptions that will influence the outcome. At best it is a way to explicate the forces at work, with which you can compare your organization to others. But twisting and turning some values, provides you a clearer insight in the effects of your policy options. Moreover, as more respondents join in, more data is gathered and in the end the model will work as a pretty good benchmark comparing you strategy to that of your peers.
Then again, if you are really aware of cyber threats, you are not going to fill in an online questionnaire on your security policy, are you? It might just be a penetration tester, trying to social engineer his way into your organization… Then don’t and just read the report, as it may still come in handy.
First to learn how other CISO’s are doing. For example, what they fear most, is the effect a cyber attack may have on the reputation of their organization. So, the problem is not how much or what kind of data may be lost, but just the fact that data is lost at all and customers may lose trust. Also, most of them don’t trust a single vendor for their tools and rather spread their risks. Or this one: “Risk calculations are often colored by recent events”, while “the most damaging threats are those that were not anticipated”. Sounds familiar?
Second, the report provides an interesting overview on why software evolves with so many vulnerabilities – one of the origins enabling hackers to enter. Innovation and usability still overrule security, both with the people who write software, as well as the once using it. In short: it’s cheaper to just build on current software, release it soon and patch it on the go then to start from scratch building more secure software. Therefore, spending a bit more on secure software, will surely yield a good return on investment in the long run.
Third, according to the model, size matters. Large organizations appear to have a larger attacking surface, but economy of scale teaches us it can be beneficial to have specialized personnel to cope with attack. Small organizatons on the other hand may risk overspending hiring new security staff and should put their money on some tools that might just be enough to keep the hackers out.
The RAND model helps to rationalize security policy and quantify cost and benefits of policy measures for both the CISO and CEO. But let’s not forget the qualitative aspects. Stories on who was hacked, how and why, may be just as a valuable to improve security policy, while it doesn’t cost you anything more than your time. The model does not take that into account, but only talking about whether it works or not, may be just a good start for doing just that.