Increasingly, corporate officers are tasked with managing the risk of IT security incidents, as the insufficiency of prevention is becoming broadly accepted by the business; IT Security risk is treated as any other risk to the business. This is leading to an emphasis on effective detection and rapid response to contain the impact of what are now considered foreseeable events. Even so, IT and Security leaders face ongoing challenges in obtaining funding to focus on impact mitigation. Old habits persist, and IT security spend is still considered a cost center with no ROI – especially in mid-market organizations.
When it’s time to go before leadership to discuss proposed security investments, communicating threats and vulnerabilities along with examples of incidents at peer organizations is one way we’ve marketed the value of security. Associating an IT security event to an undesired business outcome is one method – but increasingly, so is the business value proposition. By using the language of business and demonstrating how these investments can reduce the overall risk to the organization, the conversation takes a different tone.
Critical Insight’s CISO, Mike Hamilton, knows this issue first-hand. As a former CISO of a major US City, Managing Consultant for VeriSign Global Security Consulting, and Founder of Critical Insight, Mike has been on all sides of the desk – buying, selling, and advising. Bringing his unique context to bear, we sat down with him to talk about our latest published guide, How to Budget for Managed Detection and Response (MDR) - a 6-Step Guide for IT Security, where six strategies are explained in greater detail.
Institutionally, what are the barriers to focusing on impact minimization?
Well, old habits die hard. IT security is still viewed as a cost center on balance sheets, rather than an investment in risk management like insurance. Which is strange, because insurance, or transferring risk, seems to be more popular than mitigation through controls. Seems fatalistic. But I digress.
More seriously, I think it’s an artifact of how we’ve collectively tried to make a value proposition for security controls – mainly preventive controls. Historically, it’s scary stuff, claims that preventive technologies will solve problems, finding we have to add people to those technologies – and all of a sudden we’re spending a ton of money, and we’re not really any more secure. Stuff still happens. So it’s hard to go back to that well. Don’t get me wrong – the scary stuff has become a lot scarier and closer to home, but daily news has helped to build immunity against fear, uncertainty, and doubt as a driver of funding.
Lastly, it’s pretty expensive if you DIY 24/7 security operation center staffed with analysts. Detection requires data collection, exposure to analytics, prioritization and triage, investigation, confirmation, response, and recovery – with people all wrapped around that to make it awesome. Trying that at home means a big investment. Sub-enterprise organizations have access to alternative solutions that don’t require staffing, but the perception persists.
How would you change the message to leadership to move this needle?
This is a bit of a paradigm change, primarily. All this time we’ve been investing in prevention, to “make things not happen”. Now we’re talking about admitting that things will happen, and working to deal with those things so that they’re effectively irrelevant when they do. To drive that home, a “good” impact is the clean-up or even reimaging of someone’s desktop computer. A “bad” impact is when the FBI calls to tell you that your customer or constituent database is for sale on the dark web. Use examples like that – especially if they’re empirical and backed up by a reasonably current event.
Improve our bad marketing. We’ve typically communicated justification for budget as a response to threats – real and perceived (or heavily marketed by “cybersecurity” companies). This tactic is a little worn out and ineffective today. We haven’t learned yet to create good value propositions to the business, in terms that the business understands. Talk money and liability and risk, in that order.
What’s the fastest turn-around time you’ve seen for new budget approval? Why?
Hmmm. Most of it was hard in the public sector because of the way things are funded and procured. Changing endpoint security agents was especially hard as I remember. Quick approval of budget requests have usually been a response to an event that caused loss. Avoidable loss. So both budget and authority have been known to rain from the sky as a reaction to hitting a security landmine.
An example is a website that was compromised, and pushing malware on visitors. Once that was cleaned up, authority was immediately granted to require application security testing as part of procurement and in-house development, and funding was applied to outsource the testing. Just like that.
What do you recommend when the budget proposal is not approved?
First, don’t be surprised. It may take multiple requests and some investment of effort to create and “market” the value proposition for improving detection and response. In the interim, embrace the change in conversational tactics, and keep talking about risk in terms of its components: likelihood and impact. Use units of dollars to establish a level of liability. Start talking in specifics, for example if there are 10K records on a networked asset which, if disclosed, would necessitate compliance with data breach reporting statute. Using $200 per record as a benchmark, that’s $2M in potential liability. Dollars get the attention of leadership. But the message here still is the need for effective marketing, using the language of business.
Another good tactic is to start/continue to report widely on security observations. The variety and frequency of security probes blocked by security technologies, number of A/V events and compromised assets, frequency and source of password failures, frequency of IDS alerts, etc. are all good to report internally – to peers, as well as executives and leadership. Leadership loves to see what’s going on with security – so show ‘em.
Do you have any secret tips not included in the guide?
No. Just read the guide. OK, here’s one. Because of institutional inertia, leadership takes a report from a consultant more seriously than recommendations from mid-management. Getting a security assessment can be inexpensive, and likely below the “signing limit” of that mid-management. Use your signing limit to get a report – it will show necessary improvements. Summarize it for management, and use it as justification in your next budget request. Low cost, positive outcome.
