Are security decisions in companies made from an economic, organisational or technological standpoint and what is the ideal?
Technology is dream but responsibility means organisation wins
Raj Samani, ISSA UK
Technology is cool. It's new, innovative, and the acquisition of the latest technology does add an element of leading-edge thinking. Such psychology is de facto among security professionals (compare the number of industry colleagues who have the iPad, with your friends outside the industry, for example).
Traditionally such an approach was the modus operandi for all security decisions, with trade exhibitions the platform to pitch new and not so new products. There has, however, been a gradual shift from feature-driven decision making, to security decisions falling into line with the needs of business.
Although many would argue it always has been about business requirements, the fundamental difference is that security is devolving to the business. More specifically, allocation of responsibility is being distributed to different areas of the business, rather than simply paying lip service to the 'security is owned by the business' principle.
Many organisations have (or are) allocating responsibility for individual security areas to different parts of the business. These areas are concerned with risk management, with decisions borne out of economic good sense, through empowerment from organisational changes. Such changes are supported with regulatory and legal changes that demand accountability (ownership) for the management of information and ultimately risk.
The term accountability is important; with emphasis placed on accountability versus responsibility. Security subject matter experts are moving from being accountable for the management of risk, to now being responsible, but acting as advisers to individual business areas who are ultimately accountable.
The net result to such changes is that security decisions are being made by the business, with support of technology-driven security professionals. However, ultimately all decisions are now carefully scrutinised to ensure they meet a satisfactory ROI, and of course that it satisfies the new organisational context.
Does your organisation have an appetite for risk?
Managing director EMEA, (ISC)2
Security decisions should, ideally be based on a risk standpoint. In reality, a risk-based standpoint will contain economic, organisational and technology elements. A decision usually involves some sort of commitment of resources which implies the economic. These resources may be expenditure to buy hardware, software or services. Alternatively they may be people resources required to implement some people-based controls such as separation of duties or background checks on individuals. The amount of economic resources committed should be a balance of the amount of risk an organisation is prepared to take and the resources it is prepared to commit to mitigate that risk.
From an organisational standpoint, different organisations have widely different attitudes to risk and even within a single organisation, different parts of the organisation will have a different attitude to risk. This attitude is often called 'risk appetite'. It should be a key requirement of any information security professional to understand the risk appetite of the organisation they are working for. A retail bank will have a much more conservative approach to risk than say an investment bank which is used to taking high risk decisions.
Finally, when making security risk decisions the technology aspects should not be ignored. This includes the maturity of the technology, the proven track record, how efficient and how effective the technology is in dealing with the risk and, of course, the cost of the technology. One aspect that is often overlooked is the total cost of owning the technology, which goes well beyond the cost of initially purchasing it. For example, intrusion detection technology needs not only purchasing but also on-going licensing agreements so that it is kept up to date, it needs resources to implement it and also resources to examine the output and take action on the output.
Decisions should never be taken based on one single factor but, as many things in life, a balance and trade off between a number of differing and quite often conflicting things. This is what makes being a security professional such a challenging and interesting occupation.
Wrong to use technology viewpoint
Research vice-president at Gartner
The reasoning behind an organisation's security decisions largely depends on the maturity of the security practices within that entity. In Gartner's experience, too many organisations still make their key information security decisions primarily from a technological viewpoint.
The reasons for this are complex. It is often a symptom of the stature of information security within the organisation: security is viewed as an IT problem, to be solved by IT. This in itself is an indication of dysfunctional accountability structures for security within the leadership of an organisation. As long as the business believes that protecting its information resources is not its responsibility, it is nearly impossible for the security manager to make meaningful decisions based on economic and organisational factors.
In a perfect world, security decisions should be made primarily from the risk management perspective, taking cognisance of all the relevant economic, organisational and technological aspects.
Some economic factors that should be considered include:
- The financial risk exposure of the given process, application or information set.
- The cost of alternative security controls versus the expected value and risk reduction.
- The availability of resource and skills to implement and manage a controls solution.
From an organisational perspective, the following issues could have an impact:
- The risk appetite of the organisation as a whole, and of any individual process, application or information owners.
- The organisational culture with regards to implementing and enforcing policy and controls. For example, is it hierarchical and top down, or more collaborative and federated?
- The awareness and behaviour of employees and contractors.
- The maturity and nature of relationships with external service providers. For example, existing contractual agreements might complicate certain security controls solutions being implemented by service providers.
- The maturity of existing security management processes. An example might be an immature, ill-defined security incident response process makes it difficult to integrate effectively with existing IT service management processes such as problem management.
The technological aspects that could influence the decision-making process might include:
- The existence of known technical vulnerabilities and risks in the technology stack.
- The complexity and functionality of potential product solutions.
- The availability and reputation of potential managed security service providers for administrating potential security solutions.
Depending on the context of a given security decision, all the relevant economic, organisational and technological aspects should be considered in order to derive the best risk-based decision under the circumstances.
Security choices often a grudging acceptance of cost
Committee member of the BCS Security Forum strategic panel and director of information security consultancy Trusted Management
In my experience, very few companies base their security decisions on a well thought through understanding of their need. Generally, I see security decisions based on a grumpy acceptance that it's a cost that has to be borne with the result that what is purchased is either under specified, incorrectly specified, not properly maintained or unnecessary because the power of existing products has not been realised.
A variant of the grumpy acceptance is the company that during economic good times allows the IT department a budget feast leading to the purchase of the latest whizzy security toys and in times of economic belt-tightening a budget famine leading to essential security tools not being properly maintained both in the operational and technical sense.
Ideally, I would like to see is all companies basing their infosec decisions on an understanding of the business risks both at the company (eg industrial espionage, high value information etc) and those arising from the use of ICT and the company's appetite for risk eg how much risk to its business is a company prepared to accept?
No consideration of the big picture
CEO at First Base Technologies, an ethical hacking firm based in the UK, and a member of the ISACA conference committee
Wearing my cynical head, I would say security decisions are often made from a standpoint that ignores the big picture. The love affair with silver bullets continues unabated in many firms - "if we buy this new security product, data loss will be a thing of the past" - while ignoring any attempt at analysis of who may be attacking the organisation, why and how.
Technology remains a big driver simply because it appeals to us as a straightforward solution. If we're worried about malware, buy anti-malware products. If we're concerned about data loss, buy a data loss prevention solution. Yet this ignores the complexity of an organisation's information infrastructure and of today's criminal attacks.
As long as the people tasked with defending an enterprise fail to think like an attacker - fail to think outside the box - we will throw money at point solutions and still get hacked. If you stop someone from copying data on to a USB stick, they'll send it to their home e-mail account. If you block those e-mails, they'll use a VPN, and so on. People will find a way to bypass your controls in order to get the job done, unless you understand what they're trying to achieve and make it easy for them to do it securely.
When decisions are made from a purely budgetary perspective, things can be even worse. Retailers who committed resources to PCI compliance, then shelved the project and fired the contractors when the economy rocked, will find that it will cost them even more to pick up the pieces and find new people with the right skills to help them become compliant.
A purely cost-based approach to selecting a firm to test your web application may seem attractive, but how do you know you are comparing equally effective solutions? Some companies do little more than run an automated scanner, while others combine this with skilled analysis and manual testing which will inevitably cost more but may actually find the security holes before the criminals do.
A combination of technology and budget, informed by an intelligent threat analysis, can provide the most effective strategy for securing the organisation if only we can take the time to do it properly.
Security needs to built-in not bolted-on
Head of research, Corporate IT Forum
Where security sits, and where the responsibility for security decision-making lies, is undoubtedly evolving in the large organisation today. Obviously, there can be no one-size-fits-all take on this but, inside the Corporate IT Forum, we are increasingly aware that reaching a high level of maturity in security awareness, management and application means growing an organisation-wide, built-in rather than bolt-on approach.
Security is becoming a culture, as opposed to a function. Decisions that affect the security of a business; its operations, brand, effectiveness, etc, proceed from a thorough assessment of potential risk. Therefore, economic, organisational and technological standpoints will be taken into account, with the 'ideal' model individual to the specific requirements and business of the organisation.