How to Right-size your Information Security Investment
In a world of burgeoning threats and increasing organisational security demands, it has never been harder for a CIO to ensure they are right sizing their Information Security (IS) investment.Innovative CIOs are now going above and beyond traditional IS solutions. Throwing money at your IS investment with your fingers crossed is, quite frankly, an irrational way of ensuring you aren’t exposedto security risk. What if you haven’t thrown enough money? Or what if you were asked to justify your investment spend to your stakeholders?
More security isn’t necessarily better. So, how do you ensure your IS investment is just right?
Fear, Uncertainty and Doubt ‘FUD’ – the drug of choice for Security Vendors
The aim of the Security vendor is to raise the level of fear and paranoia to sell you their solution. Sure, part of what they are doing is community awareness, but the potential threats are typically hyped. Security control vendors, in particular, make money out of selling protection gear, regardless of the actual need in a particular organisation. Firewall vendors, for example, will talk about the growing leagues of international criminal hackers trying to break into your system, and Anti-Virus vendors will send virus alerts daily, creating a mind-set that, unless you buy their products, you are not protected. The well-organised marketing arms of these companies ensure a constant stream of press releases are always at hand.
Of course, there is some truth in these community announcements that cannot be ignored, but we need to seek a balanced view rather than a knee-jerk response. Most organisations tend to be reactionary when they recognise a potential problem. Instead of analysing the situation there is a propensity to jump straight to the vendor-driven solution. Many organisations naively trust vendors as independent experts, when ultimately the only vendor agenda is that more security is better, regardless of your specific business needs. Without a clear business-driven model, security solutions will continue to be poorly targeted, increasing risks and costs.
If we take Biometrics as an example, they simply don’t work effectively for mainstream use. Contrary to misleading claims from vendors, the US National Research Council (NRC) published a report in 2010: “Biometric Recognition: Challenges and Opportunities,” which concluded, “no single biometric trait has been identified as stable or distinctive… which has placed doubt about the reliability of fingerprint, iris patterns, voice recognition and facial recognition systems.” Biometrics per se are not a bad thing, rather, they have been peddled as the panacea for a vast array of Security problems. In reality they are only effective in a small number of niche solutions.
The public perception is that biometrics are better than a password, when, in fact, the opposite is more likely to be true. A strong password has potentially billions of combinations and is extremely difficult to break, but a fingerprint, for example, after adjusting for false acceptance and rejection rates in real world use, typically has a 1 in 20 to 1 in 601 chance of being unique. Even the most advanced finger-printing systems can be easily breached by taking a copy of the finger-print off a glass and using a gummy finger-print system to create a latex print equivalent which can be used to gain access. It is actually easier to hack many Biometric controls than a strong password and every Biometric system that we have today is fallible, including some DNA testing.
This is not a criticism of Biometrics, we just need to understand their limitations and only use them where they are an ideal solution. A Time-keeping system, for example, is a reasonable application for Biometrics. In this case, the finger-print system is not used for authenticating access to sensitive data, it is purely being used as a method of establishing a level of trust that the individual is physically present at a given point in time. In this context finger-prints are more effective than a signed ledger or clock card, assuming users are properly educated, enrolment and backend storage of credentials are properly implemented, and the ROI stacks up.
Firewalls are another prime example. It is easy to visualise a firewall as an impenetrable moat around a castle, designed to keep the bad guys out. Unfortunately in a connected world, we need external access to key systems, so we need a draw-bridge across the moat to let the good guys in and out. The challenge is, how do we distinguish the good guys from the bad guys crossing the bridge? Vendors will tell you they use sophisticated packet inspection techniques, but in reality, the firewall is unable to distinguish between a good IP address and a bad IP address without business context. The real security takes place at the system or application level where credentials and business context can be established.
If firewalls typically play only a small role in effective security for externally accessible systems, why do they receive such a disproportionate share of information security budgets? Ideally we need an independent rating system for Security controls that allows us to quickly and easily determine a control’s real-world effectiveness in a specific business context.
Why build Fort Knox if you are not protecting gold?
Organisations have limited budgets and must spend what little they have where it is needed most. Where there is an identified need, the organisation must be assured that the solution is optimal – no more, no less. It is often argued that more Security is always better. If there were options to improve Security at little or no cost and without hindering business processes, it would always make sense to implement them.
In reality, those solutions rarely exist. There is always a price for Security, whether it is capital cost, the effort required to maintain and manage the solution, or simply the additional hurdles that the organisation must jump to perform their daily tasks. Keeping those costs to a minimum is essential for all organisations.
So how do you right-size your IS investment?
Firstly, you need to know the sensitivity of your data as this will tell you the amount of Security required. At Linus we call this Data Sensitivity Analysis, or the “So what?” test, as in “So what if this data is exposed? What will the impact be on the organisation?” This step determines what data is worth protecting before investing in infrastructure or making Security design and management decisions. Obviously the more sensitive the data, the more protection is required. Conversely, data that is not as sensitive requires less security, resulting in potential cost savings for the organisation where controls can be reduced.
Next you need to analyse the Access Environment to build a picture of the various data storage locations and the access methods and behaviour employed by users to access that data. From this information you can start to model the points where specific Security controls should be applied to protect sensitive data.
Manage IS controls holistically
The aim of right-sizing your IS investment is to determine the minimum, most cost-effective set of Security controls, combined across all control layers, to collectively reduce the exposure of data to an acceptable level which is commensurate with the data’s sensitivity (in terms of confidentiality, integrity and accountability). For example, a power utility located the IT application that controlled the region’s power supply on several workstations in a locked and secure room, on a closed network with physical access, which was only available to a select few people.
An audit highlighted that passwords had not been changed on these workstations and that this posed a Security weakness. In isolation this concern seemed reasonable, but when combining the controls holistically, a different picture emerged: The main building required keycard access through a guard-supervised boom gate. Only a dozen or so staff were allowed access to the main operations area in the building. Only three staff were physically allowed access to the room housing the workstations.
Put simply, there was no serious weakness, as physical controls ensured that only the three staff who required access to the workstations could enter the room. Holistically, the Security controls were adequate, even with a password weakness.
The holistic approach not only provides a cumulative benefit, but also simplifies the selection process. The aim is to allow full utilisation of existing Security controls, and combinations thereof, and avoid additional or expensive controls wherever possible.
In this connected world, it is more important than ever to align security with specific business needs and carefully target investments where they are most needed in a holistic and balanced manner. This is a challenging process for organisations, but it can be greatly simplified with the right methods and supporting tools