The (ISC)² US Government Advisory Board Executive Writers Bureau (EWB) looks to help CISOs and their counterparts identify cost-effective approaches amidst the soaring price of cybersecurity tools.
The compounded annual growth rate of the worldwide cybersecurity market is around 9%. US demand for cybersecurity jobs has expanded 3.5 times faster over the past five years and 12 times faster than the labor market as a whole, according to a 2013 analysis by the Wall Street Journal. For the chief information security officer (CISO), this typically means increasing budgets.
That being said, adding cybersecurity tools, year-after-year, to an organization’s budget is like buying underwear; no one wants the expense, but everyone realizes it’s a necessity. For most CISOs, it’s a nightmare to convince decision-makers that an expensive IT security tool is actually a necessary cost-saving measure that will provide a return on investment, instead of a revenue-generating measure. To make matters worse, if the CISO has succeeded in his/her job, prior breaches or other enterprise vulnerabilities in dire need of fixing may not be identifiable. For this reason, you might hear a CISO muttering under their breath, “I just wish a little something would happen”, knowing that even the smallest security incident ensures a stream of resources into the security budget.
In 2012, a survey of technology managers in the US conducted by the Ponemon Institute and Bloomberg found organizations that wanted to achieve the highest possible level of IT security (capable of repelling 95% of attacks) would have to boost spending from the current $5.3 billion (combined) to $46.6 billion, nearly a seven-fold increase. Even an ability to stop just 84% of attacks would require an approximate doubling in their investments.
While 95% establishes a high standard, professor Lawrence Gordon of the University of Maryland’s Robert H. Smith School of Business proffered that a 100% level of security is neither attainable nor particularly desirable, as it would not offer a good return on investment. The key is finding the “optimal level” of investment, he asserts, keeping in mind that costs are rising. Once new common vulnerabilities and exposures are publicly acknowledged, we can expect even shorter times for hackers to develop rootkit-based exploits with widespread release. Just as there are automation tools for rapid software development, those tools and technologies will be applied more frequently to malware.
Larry Ponemon, chairman of the Ponemon Institute, attributed the rising costs we see today to the fact that attacks are much more difficult to identify, resolve, and remediate. “Some of these pieces of malware are just brilliant and they cause a lot of damage”, he said in an October 2013 comment to FierceITSecurity.
“These attacks are often targeted attacks that can continue for months if not years. This drives costs up substantially.”Professor Lawrence Gordon of the University of Maryland’s Robert H. Smith School of Business
According to an April 2014 report by security firm Mandiant (owned by FireEye), hackers spend an average of 229 days on a victim’s network before they are even identified.
Thus, with the gamut of cybersecurity tools on the market, a CISO’s recommendations must be well-thought-out and justifiable to address the soaring costs. Following is some ‘food for thought’ when preparing your budget and considering your specific security program(s).
Security Intelligence Tools
Before investing in additional security tools, it is highly suggested that security intelligence tools be integrated into your program to gain a better understanding of what you need. Because the value of intelligence can decline in a matter of days or hours, more organizations are implementing an in-house threat intelligence program, including dedicating staff, tools, and other resources to network baselines, anomaly detection, deep packet inspection, and correlation of network and application data activity.
The rise of threat intelligence services is helping enterprises gain greater insight into global and industry-specific threats. The CISO’s job is to figure out how to make that information actionable and to implement countermeasures in a timely manner. The key benefit of leveraging threat intelligence with analytics is that it produces predictive threat warnings and mitigation advice by monitoring security events from a wide and diverse variety of sources. By analyzing and correlating millions of global events, organizations can uncover malicious activities that may have otherwise gone unseen.
In-house threat intelligence programs can be as simple as IT staff being trained to pay closer attention to data or developing a team of people to perform deep packet inspection and forensics on a full-time basis. For those organizations that opt to purchase intelligence tools, Chuck McGann, (ISC)2 U.S.
“It is important that the tool vendor invest in the success of its tools. Defining realistic outcomes and requiring an onsite technical support resource who will be held accountable for delivering such outcomes will help to minimize false expectations often presented in an initial sales pitch.”Chuck McGann, (ISC)2 U.S. Government Advisory Board Co-Chair
Security Suites vs Stand-alone Programs
An internet security software suite is usually cheaper than buying separate stand-alone programs, and it also reduces the likelihood that security programs will be incompatible. All of the components of an internet security software suite, however, may not be useful. A firewall is essential to protect your computer from intrusion threats, but there may already have been a firewall included on your wireless router, which experts say is more effective than software. The internet service provider or email program may already have taken care of filtering spam. Therefore, choosing between buying an internet security suite or stand-alone security software is partly a matter of weighing the strengths and weaknesses of each package against your own security priorities.
Cloud Security
Despite the convenience and economic benefits, cloud computing may not be for all organizations (i.e., those with highly classified missions and/or extremely sensitive data). However, for most, the security advantages of cloud computing, coupled with the ability to create private clouds, should offer the security assurances needed to satisfy a good number of organizations.
Those who choose to move data from physical to virtual environments should consider the need to update their security. For instance, you can’t install a traditional firewall or anti-virus software in a cloud-based virtual environment. Hypervisor security is critical when using clouds and is often overlooked. If an intruder gains control of a virtual server, they may be able to gain control of the hypervisor. And, by the way, a whole new set of security issues comes into play if enterprises allow employees to access corporate data with smartphones and tablets.
Cyber Insurance
As a supplement to security tools, insurance should be considered as a means of mitigating risk, but be advised that insurance companies are also launching new cyber products, and premiums are rising. Cyber insurance premiums can range widely based on the size of a company and the extent of its perceived exposure.
“Small and mid-size companies may have a $2,000 to $15,000 price per $1 million limits of liability of coverage, compared with $17,500 to $50,000 or more for larger-size companies. It is something to think about.”Ken Goldstein, ?VP & Worldwide Cyber Security and Media Liability Manager at Chubb Insurance
Dave Navetta, founding partner of the InfoLawGroup who helped develop cyber insurance products at AIG at the start of last decade, adds: “Cyber insurance is becoming less of an option and more of an automatic purchase.”
Taking a Formulaic Approach
To compare the cost of a malware attack to the value of security tools, a formula of some type may prove useful. Following is an example:
- Assign values to your organization's data by determining how much it would cost to restore lost information.
- Estimate the losses of a single incident in recovering from a malware attack (lost employee time, lost revenue due to compromised systems, fines and penalties relating to disclosure of sensitive/privacy information, etc.).
- Previous attacks: Estimate how many significant malware attacks your business has suffered in previous years. This will provide you with a loss expectancy number for the years to follow and – by combining the previously determined losses – reflect the dollar amount that malware is costing your business each year.
- Assess internal and external users: While, in general, people don’t like their actions to be tracked, businesses can use employee behavior as a tool for threat identification. If need be, place a subjective value on your security teams’ level of proficiency, as well as employees’ overall attitude and compliance toward security practices. If the value is high then the risk may be lower and, in turn, offset the expenditure on unnecessary tools.
- Plan your budget. The estimated losses will give you a rough idea of the maximum amount you should spend on malware countermeasures. Many companies may wish to spend far less, however. That's because there are situations in which businesses are willing to accept a higher malware risk, either because the likelihood of an attack is so low or the cost of mitigating the risk is so high. A rule of thumb suggests that cybersecurity expenses should be between 30% to 40% of potential losses.
Costs come in a variety of forms that include direct disruption of operations, payment transactions, and theft of sensitive data, such as trade secrets and credit card information. They also generate indirect losses such as legal liability and long-lasting harm to a business’s brand. There is no one solution for all organizations. The compilation of intelligence tools with stand-alone programs, including intelligence tools plus cyber insurance, may be best for one organization, whereas a security suite is the answer for another.
Because businesses continue to become more dependent on the internet, cybersecurity budgets will continue to increase – as well as the cost of the technology solutions. Hopefully this article has provided you with some options. As the old adage goes, ‘If man built it…man can defeat it!’
This article was written by the (ISC)² U.S. Government Advisory Board Executive Writers Bureau (EWB). Members of the Bureau include federal IT security experts from government and industry. Lou Magnotti, EWB member, was lead author of this peer-reviewed article. Visit the (ISC)² website for a full list of Bureau members.