SBN

Failure of Investment

Recently, a lot of attention was given to an off the cuff comment by Jack Daniel in response to a Return On Investment (ROI) conversation via Twitter – “The only viable measurement in security is failure.” The reason that this comment got so much traction is that it is a new way of thinking through your security scheme.

The newest topic seems to be “Is Penetration Testing dead?” – The answer is not straightforward and may need FOI to give some much needed clarity.

First there was ROI…
Will I Make A Profit?

Return On Investment is a valuable metric to the IT industry (as well as business community) as a whole. It answers the question “If I buy this thing, will I make money in the end?”

The Idea is that if you purchase something, it should at least earn you an equal amount of money back that you spent and can probably earn you more. This should also happen in a reasonable amount of time. For example, if you need to buy a firewall, it will help to know what that firewall will be doing. You can then calculate – “If I buy a firewall for $d then in t (weeks, months or years), I will see a return on my investment and everything earned beyond t is profit” At that point, It will have paid for itself (or you can use it in reverse to say that you shouldn’t buy something because the ROI is either at a loss or too slow). This makes a lot of sense when you need to make sure your boss looks good when doing the budget 😉

Then There Was TCO…
How Much Will It Cost?

Total Cost Of Ownership (TCO) came into play during the original converstation. TCO is a predictive metric that tries to take into account everything that must be spend for something to be invested upon through its life.

For instance, the firewall that my boss needs, he won’t look good if I google “cheap firewall” and then tell him that the firewall will cost $100 (it’s a really cheap firewall). I will need to take into account the cost of software, hardware that is not included, any monthly fees, my bonus for making him look good and ANYTHING else conceivable. This is the Total Cost of Ownership. That firewall is not making my boss look good 🙁

Then there was FOI…
What is lssass.exe?

Before I begin, Jack had an accessory after the fact, namely Andy, IT Guy. Andy, helped Jack by really defining FOI.

FOI is even easier to define than ROI and TCO, but harder to inject into a real life scenario. FOI is not a predictive measurement, but is a mantra that can be used to make sure you are taking due care to ensure things are working as they should.

If something is allowed to fail, then the investment was not worth it in the beginning. (What do you expect from a $100 firewall?) One of the tenets of FOI is if something does fail and funds are either spent or lost as a result, then it better not happen again.

As far a security is concerned, if I have a security device, and it fails then something is compromised, even if you haven’t found it yet. We now need to find and fix what happened. This will take time, salary dollars and you may need to hire outsiders, not to mention that you may have lost some revenue by an outage or data leak already. This is where FOI kicks in.

Something has failed, my boss is angry. He says “This is bad, we are stuck in this investment thanks to you. Will it happen again?” My answer is, of course, no. It is now a much higher priority of mine to keep that firewall from failing.

This is the essense of the argument. Why was it such a low priority and allowed to fail in the first place. There are many answers that I won’t get in to. Although the “it’s not my fault” argument may be valid (but it won’t save your job, necessarily) if the vendor failed to notify or patch an existing known vulnerability. So, vendors, watch out there.

Hope these three metrics shine some light on what to do with your IT budget and IT staff.

Tim

*** This is a Security Bloggers Network syndicated blog from Security Workshop authored by Tim Cronin. Read the original post at: http://securityworkshop.blogspot.com/2008/12/failure-of-investment.html