Security ROI

Security Done Well, The Ultimate ROI

To accept anything I’m going to say in this post, we need to agree on the definition of ‘investment’. The OED has 3 definitions;

  1. The action or process of investing money for profit;
  2. A thing that is worth buying because it may be profitable or useful in the future; and
  3. An act of devoting time, effort, or energy to a particular undertaking with the expectation of a worthwhile result.

For the purposes of this blog, I’m taking the word ‘useful’ in definition 2. and the entirety of definition 3. I’m not that biased toward my chosen profession that I believe spending money on security will actually make you money, but I do believe that any effort to stay competitive in this day and age requires the current perception of security to be completely overhauled.

In my career I have compared security to insurance, the law, and to chewing tinfoil; you only do it because you have to, it’s too complicated, and it’s very irritating, respectively.  It’s no wonder that it gets the short-shrift that it does, especially when one or all of these comparisons come from the CEO him/herself.

If you can also accept that not LOSING money is also a ROI, then we can begin.

I was recently told that unless we security experts can put security into terms the business side of an organisation can understand, we’re wasting our time. I’ve done that my whole career I thought, but I missed the trick of putting security into a financial CONTROL perspective, mostly because finance is not my background. So thank you Jeff Hall for that.

These are my Top 5 reasons that security provides an ROI well above that of almost all other individual departments, including sales:

  1. Competitive Advantage
    I have touched upon this in several blogs, but the basic premise is that in the information age, the majority of businesses are almost entirely based on the manipulation of some form of data. Data in context is information, information in context is knowledge, and knowledge applied correctly is wisdom, and so on. It follows therefore that the ages old concept of Confidentiality, Integrity, and Availability (C.I.A.) very much applies. So if your data is the foundation of all of your businesses services, why is it not treated accordingly?
  2. Business Transformation
    Similar, but different enough from Competitive Advantage to warrant its own section. Again, seeing as data is central to all things, the ability of an organisation to order, compile and retrieve their accurate data faster gives them the ability to adjust their processes in the face of customer needs, or competitive threat. If you don’t know what you have, or in detail how you do what you do WITH what you have, you cannot make change fast enough. Competitive advantages in the Information Age last weeks / months, you simply don’t have years to  catch up.
  3. Financial Control
    All finance these days is just data in context, and while security will never be able to provide that context, access TO, and the integrity OF the data can provide a much welcome check and balance for the control of an organisation’s financial data assets. Regulations like SoX have security as part of their requirements, but it goes no-where near far enough to provide much benefit. A security program done well would cover this and a whole lot more.
  4. Avoidance of Fines / Loss of Reputation
    Globally, more and more regulations are in the works that can have significant negative monetary implications. PCI is probably the best known, but the Information Commissioners Office (ICO) here in the UK can fine up to £500K per event for the loss of personal data. The EU General Data Protection Regulation (GDPR) can impose fine of up to 2% of GLOBAL revenue for a similar loss. These fines are monetary, but the loss of reputation can potentially be far worse.
  5. Cheaper IT Infrastructure and Maintenance
    This may seem strange, even counterintuitive, but you only get real security when all the processes are simple, and you can only achieve simple if everything you have is a known-good, or baseline. These baselines are hard to achieve, and can be expensive in the short-term, but the long term costs are significantly lower than trying to either constantly work with too much (technology, data, people etc.), or fix what’s broken because you couldn’t detect a problem in time to prevent it from becoming a disaster.

Security is simple, and done well provides benefits way beyond what most business people can possibly envision, but ignorance of this has always been, and will always be, the CEO’s fault;

“Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities.  If the organisation fails to achieve [enter goal here], it’s the CEOs fault, and no-one else’s.”

Just ask Target’s or Equifax’s outgoing CEOs if they wished they had paid more attention to security.

[If you liked this article, please share! Want more like it, subscribe!]

Continuous Compliance Validation

Annual Validation is Dead, it’s Time for Continuous Compliance

As you probably know, the PCI DSS is a minimum set of security controls that must be in place around anything that transmits, stores, or processes cardholder data. That’s probably why the card brands and the SSC get so irritated that even this basic set of good practices is so hard to achieve.

That said, unless you have a way of monitoring and maintaining your compliance within these baselines, it’s not only VERY difficult to stay compliant (let alone secure), it makes validation of your compliance an annual nightmare of gathering screenshots, log samples, and so on. I estimated that validation of controls can take up to 50% of the entire annual assessment cycle.

This is a tremendous loss of resource time, and does nothing for your ROI. So why DOES the PCI DSS only require an annual point-in-time validation and not validation of continuous compliance? Yes, you are accountable to stay compliant at all times, but you only have to validate it once a year, and – if you’ve earned it – on only a sample of your systems.

The answer is, they simply cannot go that far. Continuous compliance validation is far more difficult than achieving PCI compliance, and is firmly in the realms of good security practices. They can enforce minimums, they cannot enforce more than that and get the necessary acceptance.

So what IS Continuous Compliance Validation? “It is the near real-time notification of a variation from your baseline norms.” Or to put it another way; once you know what something should look like all day every day, you want to know if it changes from that.

For example, the PCI DSS specifies over 20 validation points for an operating system; e.g. business justification for all listening ports; access control; logging; FIM and so on. Once a year, you have to show your assessor that these validation points meet the DSS requirements, and that’s it for the YEAR! All too often, systems fall out of compliance within a matter of days.

Instead, what I propose, is that you should automate (as much as possible) the collection of that validation data, and compare it to not only the PCI DSS requirement minimums, but to ALL of your compliance / regulation / internal policies / standards. And not yearly, but hourly, daily, weekly, whatever makes sense. Wouldn’t you rather show your assessor a green checkmark for ALL of your systems than a dozen screenshots for a mere sample?

If this can be configured for just 50% of your in-scope devices, your entire annual validation burden will be enormously reduced. Plus, you also have a very convincing addition to your compensating controls for lack of FIM or AV (if applicable).

Best of all, you are now doing security as it was meant to be done; Enterprise wide, and Business As Usual.

Any operating system experts out there want to help me put this together?

[If you liked this article, please share! Want more like it, subscribe!]