David Lacey's IT Security Blog

I'm always interested to read what the young scribblers in those expensive analyst organisations are claiming about our security spending habits. I've spent a good deal of time measuring and comparing levels of security spending with other companies from various industry sectors. And it's always been very different from that suggested by the analysts. Years ago, when many of them were telling us that typical spending was around 3-5% of IT budget, I was measuring and benchmarking it as nearer to 1% of IT budget.

So I was fascinated to read the recent projection from Forrester Research that this year most companies will spend between 7.5% and 9% of their IT budgets on security regardless of their size, geography or industry. Now I've noted an increase in spend over the last few years. But in my experience it's a long, long way from these heady levels. And I've also noted a tightening of the belt in many organisations, making it more difficult to increase headcount and budget.

Of course we might all be interpreting the phrase "security spending" in different ways with different scopes. Indeed this is likely to be a major factor in our different perspectives, though my experience has been that most organizations have a reasonably consistent view of what it covers.

If the claimed figures are correct then we should expect to see large organizations employing several hundred full-time professionals. And we should also expect security technology sales to be substantially higher than they are today. I don't see any of this happening. Perhaps I'm missing something? I'd be interesting to hear what others think. Because it's an important measure that underpins the business case for our security capability.

I've noticed an increasing level of interest by both academics and practitioners in the financial aspects of security. There are probably two sources for this phenomenon. One is the difficulty that security managers encounter when justifying the business case for their spending plans, which encourages them to look outside their organization for a better method. The other is the response by academics, who become excited when they unearth new (though rather obvious) economic characteristics of security, such as the fact that the party who creates a security risk might not be the party who suffers the damage from its impact. And findings such as this will generate further interest as they offer the potential to transform a business problem into a wider societal or public policy issue. The end result is an unprecedented wave of interest in researching and debating the "economics of security".

Now I'm sure that many interesting models, methods and policy recommendations will emerge from this new found line of research. So I'm all for it, though I do suspect that there might be more interesting and fruitful alternative lines of security research. My main concern is that we don't reinvent the wheel. Because bean-counters have for many years been devising investment appraisal models to measure the ROI on difficult and dodgy investments. And business managers have long been struggling with difficult business cases, frequently based on uncertain, unmeasurable and unknowable data. So there's really nothing new here.

I keep being told by academics that security is a particularly difficult business case because of the lack of hard supporting data and the fact that it often requires long-term investment in infrastructure with uncertain returns. I don't buy this. Many routine business investments have these characteristics. Whether it's a new product launch, a new plant, a new acquisition or an investment in CRM or business intelligence software, they all represent a leap of faith, with no guaranteed returns.

At least with security we can point to a sizable body of supporting incident data. And we can play the regulatory compliance card. So perhaps it's not that hard after all to justify security. In fact that could explain why we've actually seen unprecedented growth in security investment over the last two decades.

At this time of the year my eyes usually glance westward to see what’s being revealed at the Black Hat and Defcon conferences in Las Vegas. Over the years these back-to-back events have served as a showpiece for announcements of hot findings from the esoteric community of code buffs who study security vulnerabilities.

So what happened this year? Not a lot according to reports from seasoned attendees. What’s going on? After all it should have been a bumper year for exploits given the continuing growth in the security research field. Brian Krebs’ report in the on-line Washington Post hits the nail on the head. Could it actually be that the research community is becoming more responsible, mindful of the serious consequences of disclosing a gaping hole in a protocol or platform? Or is it because security researchers are now more inclined to sell their vulnerabilities privately to the highest bidder?

A recent survey, carried out by NetIQ, claims that most IT Security Managers believe that their board-level superiors pay only lip service to compliance and security, i.e. they don’t take it seriously. Is this really correct? Or are we misinterpreting the signals from above?

I reckon the latter is nearer the mark. I’ve discussed IT security with dozens of managing directors in different industries. In my view they all take security very seriously indeed. Which is no surprise, given that they constantly handle sensitive information, and that they’re often much better informed about serious incidents than their staff. So why is there a difference in perception? I can see three possible reasons. Firstly, there is a lack of visibility of senior management thinking. Most directors are discreet. They rarely go around broadcasting their views about sensitive subjects, such as security. Secondly, they might have higher priorities. Most organisations have risk management processes in place that highlight major business risks for board-level intervention. If security doesn’t rank in their Top 50 risks, you can’t expect it to be high on the Board agenda. Thirdly, any major expenditure requires justification. No managing director should be endorsing major investments in security without a clear business case. And sadly we rarely see good examples of these.

I'm always surprised to hear claims that security spending is difficult to justify. In my experience it's much easier than justifying expenditure on many other business initiatives. For comparison think about advertising campaigns which only work half of the time, CRM programmes that are an expensive leap of faith, or new product launches for which no sales are guaranteed. Security spending is easier to defend. There's a lot of published incident data to support its claims. And if you add up the numbers the ROI can be quite impressive. Not to mention the fact that there are legal and regulatory demands to reinforce the business case.

So if security is not being addressed, where might the problem lie? The answer is likely to lie either with the risk assessment process, for not highlighting the problem, or with local business managers, for not managing these risks. Or perhaps with the security function for not establishing a functioning security management system. But don’t blame the Board. At the end of the day they’re ones that risk a jail sentence. So they shouldn’t need reminding about the importance of compliance and security.

I’m always fascinated by reported figures and research statistics about the costs of security incidents. Generally they represent just the tip of the iceberg, because in practice you can’t nail down the lost sales, reputation damage and future legal claims that are directly attributable to the incident. Security researchers, most notably
the Ponemon Institute, have attempted to measure the costs of a data breach by analysing the total recovery costs, averaged across a number of real-life incidents. These figures suggest that the full cost of such breaches is likely to be as high as $100 to $200 per compromised customer account.

But real life rarely conforms to the projections of researchers and organisations can of course be very different in their scale, brand value and crisis response. So it’s interesting to note the unfolding claims and facts surrounding high profile incidents such as the recent data breach at TJ Maxx, which involved the nightmare scenario of a compromise of more than 45 million customer credit card details. Many analysts and pundits (including myself) were quick to speculate on the long term cost of this breach. Estimates of damages of the order of billions of dollars were suggested. Some security experts even thought they might be one of the first companies to be wiped out by a single security incident. So several months on, how has it turned out?

Well the costs are certainly significant. TJX’s second quarter results indicate that a figure of $130 million has been set aside so far this year to cover costs and potential liability. This is reported to include a staggering $11 million in security consultancy fees. By my reckoning that would buy you a security department several times bigger than the average Fortune 100 organisation. It’s not chickenfeed. But it is a long way from than billion dollar hit forecast by the pundits. And an organisation turnover measure in billions can easily survive a once-off hit of this size.

So after all, does the real, eventual size of the damage really matter? Probably not a lot in practice. Because a $100 million hit is more than sufficient to persuade Boards to take security very seriously indeed. And estimates of many further consequential damages, such as future lost sales, are largely academic, as they're not measurable and will never be known.

Average annual losses from security incidents have doubled according to the Computer Security Institute’s 12th Annual Computer Crime and Security Survey. Regardless of the accuracy of the individual figures collected - and these can be understated for a variety of reasons - it’s the trends that count. So this jump is highly significant, especially as previous CSI surveys have indicated a downward trend.

It’s also interesting to note that for the first time, financial fraud losses have overtaken the costs of virus attacks. In fact they are more than twice as high. The survey also indicates an increase for many organisations in the percentage of IT Budget spent on security, with a clear trend towards 3-5% of IT budget. Of course the relevance of this metric depends on what you actually mean by security. But again it’s the trend that counts and that trend is upwards.

However, despite all of the emphasis on the importance of the human factor in security, it’s sad to see that just under half of the organisations surveyed spent less than 1% of their IT Security budget on awareness training. Now whether this is because organisations don’t know how to address the problem or because they can’t find any products worth buying, it demonstrates a widespread inability to translate the current mantra into real world spending. And that might also be a major reason why the annual losses are increasing so fast.

One feature of the Information Age that I find fascinating is how fast we are able to adjust to wild swings in levels of activity. We take huge falls in stock market capitalization levels in our stride, though they impoverish or enrich many citizens. We live with rapid changes in fashion - the Gartner Group hype cycle for example being a classic illustration of anticipated volatility in market perception. And it's the same with security incidents. For years they’ve been increasingly volatile yet somehow we've manage to contain the risks. And over the last year we’ve seen some extreme behavior in malware. It’s really booming, growing by a reported factor of five during 2007. Now that’s serious growth.

Of course we can explain the growth by drawing attention to factors such as the fact that criminals have taken to pumping out multiple variants of viruses to fool anti-malware systems. But we can’t easily anticipate such trends. And they must be disruptive for academics aiming to develop better ROI calculations based on measured incidents. Or for that matter for any security manager who has been unwise enough to agree a bonus objective related to a reduction in incoming malware.

The simple reality is that volatility and uncertainty are the names of the game when it comes to information security risks. Low level threats can unexpectedly scale to new heights quicker than you can revise security defences and management objectives. Security managers need to recognise this level of uncertainty and deploy countermeasures that can scale well beyond normal contingency levels. And we need to work to realistic objectives that are not hostages to fortune. As Deming pointed out many years ago, it’s a deadly sin to manage on the basis of visible information alone. It’s the underlying trends that really count. You need to explore well below the tip of the iceberg to see what’s really happening.

I see that yet another bank has come clean about a loss of personal data information. This time it's Bank of New York Mellon. They have admitted to losing tapes containing personal details of 4.5 million customers.

Interestingly they are offering identity theft insurance to all affected customers. Given that such insurance costs around $50 a year, it means a theoretical loss of hundreds of millions of dollars on top of all the incident response costs. 

Who said that it's hard to make a business case for security?

We're all terribly bad at interpreting statistics. It's the way are brains are wired. We tend to leap to the wrong conclusions. And we're heavily influenced by context and spin. Politicians, marketing managers and journalists have known and exploited this for many years. It's a trick that all security managers need to master in order to get their points across. Appealing to the rational side of users and customers is generally doomed to failure.

I always try to get to the bottom of statistics. So I was naturally intrigued when I read the headline "Zebra crossing road deaths treble" in today's Daily Telegraph. It smacked of spin. Reading further I noted that annual deaths had risen from three a year to nine. Now, that's a very small increase in numbers. I wondered if it might have perhaps been no more than a random fluctuation.

Like most people, I find it impossible to judge these things intuitively, so I made a few rough calculations. These indicated that if the average was three a year, then there's only a one in five chance of exactly three occurring. But the chances of nine occurring are much smaller, almost an order of magnitude less. So it seems there might be something significant behind this change.

But once you start digging it gets really complex. There are so many factors. The Telegraph points out lots of potential causes, but most of them are not things that have changed in the last year. The real cause is less relevant, however, as long as it provides a vehicle for airing complaints about the design of crossings, the level of fines for motorists who ignore them, and how the UK pedestrian safety record compares with other countries.

This type of spin is a phenomenon we simply have to get used to. We're entering an age when faster judgements have to be made on growing amounts of information. And the data is getting increasingly easy to change, annotate and present out of context. The facts matter less than the perception. That's why politicians are less concerned with actually fixing the problems than with convincing us they're competent to do it. But as Douglas Adams cautioned, once you've proved that black is white, you'll probably go on to get yourself killed on a zebra crossing.

Surviving the current downturn means taking out cost from business and information security budget. Here are a few ideas on how to go about it.

Firstly, set out to reduce incident levels. There are real savings to be made from a campaign of targeted awareness. The main obstacles are that the money saved won't flow into your security budget, and it's a leap of faith that can't be guaranteed. But it's easy to make a business case if you have the right figures. Even if you don't have historical incident data, you can make some assumptions about incident levels and costs. Take laptop losses for example. In my experience, I'd estimate that typical levels are around 2-3% of laptops are lost a year. You're probably doing very well if it's less than 1% a year. And it probably costs several thousand pounds to replace each one. You can make big reductions in the levels of these losses through a root cause analysis and a targeted education drive.

Secondly, aim to move to a variable cost level for managed security services, through outsourcing or Software-as-a-Service products. That means that you can progressively lower your operating costs, as demand drops from fewer projects and shrinking numbers of staff and customers.

And thirdly, streamline processes for governance and compliance. There's been a huge expansion in this area in recent years. Many of the processes implemented were not the most efficient. This is a good time to adopt better processes and technology.

The problem with all of this is that you have to invest a little in order to realise the subsequent savings. Business has always been that way, of course. It's just that many corporate security functions have been shielded from commercial realities by being able to draw on a large central budget. Those days are gone. The most important skill of the information security manager is now the art of business case development.    

I didn't attend the actual session, but my attention was grabbed by the report of Prof. Brian Collin's views, speaking at a recent Cyber Security KTN event, on the controls needed to prevent the HMRC data breach. He took the view that government information systems should inform users if they are about to do something which could put citizens' data at risk. Brian was reported as saying "The system design should never have allowed the [data loss]. They should be designed to stop people going off the edges of what is acceptable. Why are we not doing this? Because it costs."

I couldn't agree more. It's not difficult to develop intelligent software that monitors information flows and can flag such errors. And it shouldn't have to cost so much. Price points for security software are way too high. That's why so many start-up companies fail to survive. Business models for security software need to be more modest. Then, hopefully, we'd all find a win-win solution. 

I'm always fascinated by the outcome of attempts to quantify the cost of data breaches. The Ponemon Institute have recently published the results of surveys, sponsored by PGP, carried out in the US and UK. These figures are worth noting, as the Ponemon Institute research is much more thorough and reliable than the quick market surveys by vendors that we often see reported in the media.

The US Study analysed data breaches in 43 organizations across 17 different industry sectors. It found that data breach incidents cost companies an average of $202 per compromised customer record in 2008, a small increase on last year's figure. The UK Study covered data breaches in 30 organisations. It found that the total average costs of a data breach have now grown to £60 per record compromised, with the average total cost per reporting company rising to more than £1.73 million per breach. In both studies, lost business continued to be the most costly effect of a breach, around half the overall cost. Not surprisingly, internal negligence is the main factor in breaches.

It's interesting to note the large difference in UK and US costs. I'm not sure why this should be. Perhaps it reflects a greater knee-jerk reaction by US firms, their lawyers and customers following a high profile breach? 

The studies continue to indicate a positive correlation between the number of records lost and the cost of an incident. But some caution in interpretation is needed. Firstly, not all costs scale linearly, so don't assume that the cost per record from a 40,000 record breach will be the same as for a 40,000,000 record breach. Secondly, many aspects of a breach, such as the cost of lost business, cannot be measured precisely. And thirdly, the cost of lost future business depends heavily on how well the incident is managed. TJ Maxx did it very well and they came out on top. Not everyone can do that.

The last point explains the contradiction pointed out by John Leyden in his report in The Register. In my view he is wrong to question how much weight can be placed on these figures. On the contrary, these figures are well researched and largely make sense to me.

I was amused to read about the latest estimates of the number of intelligent alien civilisations, recently reported in the International Journal of Astrobiology. Apparently the discovery of more than 330 planets outside our solar system in recent years has helped "refine" the number of life forms that are likely to exist. The new research claims that there might be as little as 361 intelligent civilisations in our Galaxy and possibly as many as 37,964.

You have to admire such breathtaking precision. It brings to mind those heavily-flawed estimates we make of risk probabilities: the ones that suggest the likelihood of a risk might be, say, 40%, but without mentioning that the accuracy of the estimate is plus or minus 90%. Such estimates are obviously worthless as a means of prediction, though they're often useful for building business cases for investment appraisal, or, ironically, to demonstrate prudent corporate governance to an auditor.

More interestingly, numbers can convey subtle degrees of spin, depending on their precision and context. A number with one or two decimal points comes across as well-measured. A round number sounds suspiciously like a guess. The exception is the 80/20 rule which is strangely compelling and plausible, even though most examples quoted are not based on any sound research. 

Donn Parker always used to quote a made-up, precise number when discussing security risks. Many people took him seriously, though he was actually making the point that such statistics are nonsense and should not be relied upon. He was absolutely right. Taking figures from external sources is potentially dangerous. Many assumptions do not apply outside their original context. That's why "Assume context at your peril" is a key Jericho Forum principle.

The other problem is that figures tend to get distorted as they're passed on from person to person. For example, 37% might quickly become "one in three" or "over 30%" or "around 40%" after just a few exchanges. In fact, research has long indicated that around 70% of the details of a story passed on by word of mouth are lost in the first five or six exchanges.

Douglas Adams hit the nail on the head when he suggested that the answer to life, the universe and everything was 42. Because in security, it's the question that really counts, not the answer. 

A recent email from Karen Lawrence Öqvist mentioned the differences in how we measure statistics such as the odds of dying in a road crash or a plane crash. I had suggested in my book "Managing the Human Factor in Information Security" that you are more than a thousand times more likely to die in a road crash than an airplane. Is this a fair claim?

This subject is illuminating for any student of statistics, as there are huge differences in the conclusions drawn by different authorities. Some observers claim that air and car travel are equally risky. Others point to huge differences with factors ranging from ten times to two thousand times. Yet these claims are all based on analysis of independently compiled statistics. What accounts for such astounding differences?

There are many factors at work. The scope of the statistics used makes a big difference. Figures are generally compiled on an international basis for air crashes, and a national one for car accidents. One or two well well-referenced quotes mix the two. Some statistics also exclude small aircraft and military jets, which account for many reported accidents. Most figures include crew deaths as well as normal passengers. But not everyone travels regularly by air, so the risks vary significantly across different types of traveler. There are also marked differences between individual airlines and between countries. First-world airline accident statistics are lower, and road deaths in developing countries are much higher, as you would expect. 

The time of the statistics also makes a big difference. Air fatalities have been dropping rapidly, and are around half of the rate they were ten years ago. Road deaths are falling slowly in developed countries, but climbing steeply elsewhere. So comparisons vary greatly depending on the particular year and time period. Even more significant is the question of whether you compare just the total number of deaths, or the adjusted number of deaths per trip, per hour, or per mile. Such comparisons vary enormously, perhaps by an order of magnitude. 
 
So how did I arrive at my "more than a thousand" figure? In fact it was a simple calculation based on worldwide figures. There are estimated to be more than million road deaths each year and less than a thousand air deaths. No spin at all, though perhaps the absence of any adjustment represents a spin in itself. 

The real learning point is that you can put any or all of these factors together to achieve just about any result you might want. That's welcome news for lobby groups campaigning for or against air travel, but confusing for ordinary travelers. So, in future, take all such claims with a pinch of salt.

When times are tough, business survival has to take precedence over security considerations. This logic suggests that security budgets will be severely squeezed in a major downturn. But is this really the case? Companies are downsizing, but many security functions and budgets have managed to survive the last six months relatively unscathed. How long can this trend last? And what will be the impact on security vendors?

The answers to these questions are more complex than we might imagine. There are several contradictory trends at play, some that boost security spending as well others that reduce it. Smart security functions should conduct an analysis of the threats and opportunities for their budget. Paul Dorey, former CISO for BP, has an excellent methodology for assessing the impact of the opportunities associated with the current downturn. It shows, amongst other things, that we can expect a combination of more and less demand for particular security services.

The most important trend is the simple fact that security continues to grow in significance, both in terms of risks as well as prominence on the Executive Board agenda. Fear of major incidents coupled with growing compliance demands should ensure that cutbacks in security are kept to an absolute minimum. But cancellations of new projects and budget reductions in operational services will also tend to squeeze security budgets.

Fortunately security is better placed to survive cutbacks. For one thing, the security function generally operates with backlog of initiatives. There is always more to be done than current resources allow. Unlike many other IT functions that might become idle when projects are postponed or services cancelled, security functions can always find useful work to do. And a general reduction in development projects can also mean that there is more money available to spend on security projects. No CIO wishes to see a complete decimation of the IT budget. They will support initiatives that remain compelling throughout the downturn.

Less demand for security support for new development projects might also free up existing security resources to launch new security initiatives that have been held up awaiting the availability of key staff to develop the necessary business case. It's no trivial matter, however, to frame a business case against a background of across-the-board cutbacks in capital expenditure and external consultancy spending. But, whatever transpires, we'll soon have a good idea of where things are heading. The start of the new financial year will set the tone for the next round of investments and cutbacks. Let's hope that it's positive for the security industry.

In times of recession there's always talk about where information security budgets are heading. Some of it is prompted by marketing spin, some by genuine concern and some by wishful thinking. Many people claim that security budgets are holding up, but at the same time there's a visible slowdown in some parts of the security market. The causes of this are numerous: the result of bank mergers, restructures, cutbacks, skills shortages, revised business priorities, changes in procurement policy and project delays and cancellations.

But against this trend is a clear growth in the need for information security services, driven by increasing risks and compliance requirements, greater recognition of the importance of security by senior management and a need to correct a long-standing lack of investment in the security of legacy systems and infrastructure. On top of this we have the steady spread of sophisticated security practices to many small and medium sized enterprises who had previously managed with little more than firewalls and anti-virus software. In fact, in the absence of a recession, information security would be booming.   

Making sense of the impact of these contradictory trends is not easy. Projecting ahead is even harder. Some economic trends, such as unemployment, are counter-intuitive.  Experience from previous recessions shows that job losses don't peak until long after the recession has ended. There's more downsizing to come. The pundits vary in their degree of optimism. Bruce Schneier has been warning of the difficulty of keeping on top of security workloads that have increased due to layoffs. Gartner report that security budgets are currently flat, while the rest of IT is in a state of decline. But they project better times ahead, suggesting that new projects will be driven by regulatory compliance initiatives and areas affected by cost cutting measures. In fact it's clear that we're heading for a sustained battle between corporate governance demands and business reality. And at the end of day, it's sales and cash flow forecasts that call the shots.

What will be the impact on security? The answer is bad, a major setback in fact. When Gartner talk of better times ahead they mean for vendors. Sales will eventually pick up, but in the meantime a lot of damage will have been done to information security management systems, which take years to build, but can dissolve within months through neglect. And information security today already requires a lot more investment, as we race to catch up with an accelerating threat landscape, after a much delayed start. This is a bad time to be throwing out the baby with the bathwater.

Erudine have just published the latest edition of Engine, their excellent technology magazine. The theme of this edition is 'Legacy Evolution' and it contains some excellent articles from CIOs, Business School professors and other leading personalities, and includes a copy of the latest NCC guidleines on 'Evaluating Legacy'.  

I've contributed a short article entitled "Do nothing is not an option" which sets out tactical advice on how to push through business cases for legacy replacement. It's useful reading for anyone struggling to justify expenditure on unfashionable projects.  

For those of you who haven't encountered Erudine, they're a brilliant Harrogate based company who've developed an innovative software development environment, which enables information systems to be built with superior agility, security and risk management. It's worth checking out.

I was interested to read the figures published last week about the number of laptops that went missing last year from government departments. I've been tracking this problem for the past decade and have a reasonable perspective on what constitutes an acceptable rate of loss. 

Take Work and Pensions for example. Their minister Jim Knight reported that out of around 9,700 laptops used by his department and its agencies, 41 were lost or stolen in 2008, compared to 15 the previous year, but not as high as the figure of 75 for 2004.

Is this good? In my experience it is no more than an average performance. As I've said before, organisations should lose no more than a handful of laptops per 1,000 per year. In the case of DWP, that means less than 50 a year. 41 is neither good nor bad. 75 is a poor performance. But the figure of 15 is surprisingly good.

Of course not every organisation has reliable asset registers and incident reporting systems. So reported figures of losses should always be regarded as potential underestimates.  

According to recent research by Gartner, consumers regard security as the most important feature in online banking. That's a pretty obvious finding. Security is the cornerstone of banking. Unfortunately, that doesn't make it a competitive edge, as Gartner appear to suggest. Because we don't pick banks for their security. We pick them for their interest rates, or because their branches are conveniently located. And we expect all leading brands to be equally secure. In banking, security is a minimum standard, not a differentiating factor.

Which? Computing magazine has just published a comparison of the leading UK banks' on-line security measures. The results are quite damning. Many top banks have failed to keep up with simple best practices that help to counter security threats from keylogging software.

But there's nothing new here. Banks might have plenty of valuable assets to protect but they've always been painfully slow in updating their security measures. What does come as a surprise, however, is the wide variation in methods used, which is remarkable for a sector with a 'herd mentality' selling identical services.

I was intrigued to read that the equivalent of $144 million was traded in the second quarter of the year on the LindeX, the official currency exchange of Second Life. This growth reflects the increasingly virtual nature of money in an information age society.

I've long taken the view that, progressively, the most significant assets in an enterprise will be hard-to-value, intellectual assets, residing in perception, information flows and relationships. Safeguarding these assets requires a very different mindset and approach to locking up physical assets.