Where’s the ROI in security?
Thu, 10/10/2019 – 23:11
Most companies cannot do much without someone asking, “What’s the return on investment for this purchase?” Those of us concerned about security are often trapped by this question. Some of us lie and come up with some elaborate formula that calculates the ROI, others simply throw up their hands and privately say “if there’s a breach, don’t blame me: I told them this would happen.” Both responses are irresponsible.
Finding the ROI in security is like predicting an earthquake. Earlier in my security career, I was asked to work on a security project and to sign an agreement that stated that my work would be “hacker proof.” The company was adamant about including this phrase in their contract. I really wanted the job but I wasn’t about to say that my work or any work was “hacker proof.” After much reflection, I told the company’s agent that I would sign the contract immediately after he purchased me a waterproof watch. With a certain sense of glee, the agent thought he trapped me only to find that every advertised waterproof watch had a disclaimer that they were waterproof to a certain depth. In other words, they were all water “resistant.” In the end, the “hacker proof” language was removed.
Security isn’t like other purchases or other contractual obligations. Security should be in a unique category.
Everyone at one time or another has left their house or their car unlocked. During that time, chances are that you weren’t robbed. The problem with any type of security, physical or logical, is that there’s no guarantee that you’ll be robbed in the absence of any security nor is there a guarantee that your security measures will have thwarted a robbery attempt. In the end, wisely spending money on security is like life insurance: it’s the right thing to do.
Think about life insurance. An individual spends money on themselves that doesn’t directly benefit them. A company’s security spending is the same. Outside of the loss of reputation due to a security breach, a company’s security spending doesn’t benefit them; rather it benefits their customers. Where would companies be without customers?
Now, of course there’s a limit on the amount of money you can spend on anything. Rarely, however, have I ever seen a company spend more money than is necessary on security – but I have seen companies spend money foolishly on security. To calculate how much a company should spend on security, they should estimate a breach’s implications, which include the loss in corporate value plus the money they will spend to recover from the breach. I find it rather humorous that a company that cannot find the budget dollars for a specific security initiative will not think twice about spending almost anything to recover from an unexpected breach. There’s an old adage, “you’ll spend whatever it takes the second time.”
This brings me to my final point, the next time you’re at the RSA show in San Francisco or the Black Hat show in Las Vegas, while you’re walking the exhibitor floor, stop, look around, and notice how many companies are selling perimeter security solutions. You will find that most of the largest companies at these events are selling perimeter security or endpoint security. To my previous point about wisely spending your security budgets, companies are still spending an exorbitant amount of money in a misguided attempt to stop the bad actors from getting into their networks. It’s not working. Make it a point of researching every security breach that is publicized in the future. All of them will be perimeter breaches. All of the historic breaches have been as well. A company’s perimeter is far too complicated to properly secure. A company might not know this but I guarantee you that the hackers do.
I’ve made it a personal mission to understand why companies spend so much time and money trying to protect their perimeters. After years of extensive research, I’ve concluded there’s no logical reason. It’s in our DNA to build walls around things that we value. For thousands of years, our ancestors have built walls and obstacles to prevent their enemies from causing harm to their citizens or stealing their treasure. The reality is that for thousands of years, all assets have been physical. It’s really been only 70 years or so that business assets have been intangible.
Let’s put this into perspective: Recorded history is approximately 5,000 years old. For 99% of this time, we’ve had to protect physical assets. For only 1% of the time, we’ve had to worry about intangible assets. If this doesn’t affect our DNA, I don’t know what does.
Companies should finally realize that no matter how complicated or secure they think their perimeter is, it will be breached. Taking a security posture that assumes a breach will occur and that there’s nothing they can do to stop it is the posture that reflects the reality of the world today. Based on the excessive amount of money companies are spending building walls, the reality is that a company could move some of its perimeter security budget to internal protection initiatives without asking for much more unanticipated IT expenditures. In turn, this would actually create a real return on their investment by protecting customer data. ROI and happy customers? That’s a win.