Tuesday, December 2, 2014

Is Bigger Budget an Adequate Measure of Security Efficacy?

Bigger budgets - the envy of security professionals and the scourge of CISOs the world over. While we'd all like bigger budgets to make security better within our organizations, getting more money to spend isn't necessarily a harbinger of goodness to come.

Earlier a fantastic conversation broke out on Twitter, where else, and it started with this tweet from Tony Vargas retweeted by Adrian Sanabria:

The conversation got a little snarky about how throwing money at a problem clearly doesn't indicate that it'll get any more attention or be any closer to being solved. I then made a comment about the American budget and how spending more isn't really helping there - OK that's a stretch but the parallels are clear, I think.

Stephen Coplan made an interesting point which I've seen made many, many times - but I believe it to be false:
*point of clarification - Stephen pointed out that he's not implying more money equals more efficacy, and I don't intend to represent his comments as such.

I personally do not believe a bigger budget means anything specifically, so to equate higher budget with more relevance- I believe that to be false. I have personally witnessed first-hand how organizations take budget increases to spend wildly on necessary widgets, and then fail to operationalize. Security isn't about spending more, it never has been. In fact, the rapid increase in spending generally means that something went publicly wrong and the budget-holders are trying to make a public display of their sensitivity to fix the issues. Unfortunately all too often these are simply that - public displays with little follow-through.

I believe that rather than focus on how much more money an organization spends as a measure of their seriousness of addressing security issue, we should be focusing on resources. You see, resources is inclusive of everything necessary including the critical people aspect as well as the widgets and gadgets that come in 1U rack-mountable formats to address the issues. Better security comes from better training of existing resources, more executive backing, better communications, and more operational support. Better security comes from a shift in culture, and a willingness by security professionals to reach to the business side and align better to goals and needs, and the business folks making a concerted and serious effort to understand that security issues and breaches aren't just web site defacements anymore.

Security (or rather the criminal aspect of the game) is big business with highly industrialized and specialized trades and vertical markets. Addressing security as a technology problem will lead to more breaches, more lost revenue, productivity, shareholder value and trade secrets to name a few of the obvious. Security isn't a "their problem" anymore, in fact it never has been.

If you're at all paying attention to the absolute worst-case scenario that Sony Pictures is living through right now (Steve Ragan at CSO is churning out an excellent series on the matter, I highly recommend you give it a read) you are becoming painfully aware that we're past business disruption, web site defacements and DDoS. We're into business destruction of the kind that has the potential to cost a company hundreds of millions of dollars not just today, but for years to come.

What will it take for companies to take security seriously, and how will we measure that jump? I don't think the upward delta in budget size is the only indicator here. I believe we need to look at the overall resource allocation to understand whether security is being addressed as a cultural issue in the company, or whether we're just given more capital to buy shiny widgets with.

In the end, Casey John Ellis had the tweet that made our point eloquently. I think he said it best when it comes to the ability to "buy more stuff" for CISOs, in relation to that making a positive program-level impact on the organization-

...and this, my friends, about sums up my feelings on the matter.

No comments: