As cyber-threats continue to wreak havoc on organizations everywhere, the traditional response has been to throw more dollars at the problem. Earlier this year, Gartner wrote of growing IT security budgets in the face of rising data breaches as discovered in their 2013 Global Risk Management Survey, and most recently came news from Price Waterhouse Cooper about spending increases in the financial services sector still reeling from mega breaches at JP Morgan Chase and others.
But how much money is enough? Rather than how many dollars are needed, a better question to address is ‘how much cybersecurity capability can you expect per dollar spent?’
Layering on more whiz-bang security tools, adding resources to manage the increasingly complex environment and attempts to monitor every bit and byte that flies for the sake of ‘big data’ will provide you with some security, and a lot of busy work. And for what? The true test at the end of the day must be this: how much safer is my organization as a result of those activities? At what point does the marginal utility simply not make sense? The trouble with more whiz bang tools is organizations that employ this approach in the absence of top line strategy continue to view cybersecurity as an IT problem rather than an organizational risk problem.
I would argue that as organizations race to throw more funding at the next generation of tools, many are not in a position to leverage those tools to their full potential. Costs climb as they realize they’ve bitten off more than they can chew. Organizations, in many instances, continue to try to protect everything equally, attempting to apply the same amount of resources to low value areas as much as the high value environments. But not all risks are created equal.
Instead, organizations should be paying more attention to the basic building blocks of a well-balanced cybersecurity program. And it should start with the question ‘How much capability can I expect per dollar spent?’ This answer will be important to you, your leadership team and the board.
The process starts with three key steps:
1: Prioritize the Value of Information Stored
Defining information valuation requires the largest level of effort – and it is not a set and forget; it’s a constant work in progress. Categorize major systems of record that, if breached, could cause a large amount of digital harm to your organization. These are typically systems that house information such as personal information, health records, credit card numbers and intellectual property. Generally, you should prioritize systems that, if breached, could land you in a court room, in the news, or cause brand impact and lost consumer confidence.
2: Conduct a Threat Assessment
Too often organizations fall into the trap of looking at only the bits and bytes, but it is critical to understand who is attacking who, what is being targeted, how the attack is being carried out and what is the impact. Remember, cyber-attacks are conducted by human beings, who are driven by a desire to have your data. Everything is a commodity whether the system resources, accounts on the system, connectivity to other environments or the data on the system itself. It is common for many organizations to only look at technical data, but that means you are only looking at the evidence of the tools the attackers used. In other words, you are treating it as only an IT problem. It’s important to build an intelligence capability that looks beyond the pure technical realm.
3: Deploy the Proper Countermeasures
Now that you have catalogued your organization’s Information and performed some analysis on why an attacker might want it, you must next deploy the proper countermeasures. Countermeasures come in the form of people, process and technology or a combination thereof depending on the cyber-problem that needs attention. From a program management standpoint, countermeasures can also be called cybersecurity products and services or Key Business Activities (KBA).
Each product and service KBA requires labor and materials that consist of HW/SW/and anything as a service generally. At this point you simply need to map your countermeasures and identify how they are aligned to the identified threats, which are also aligned to information that can cause digital harm. Using this format, you have alignment to the business based on what the business units view as important. You can also identify known and perceived threats to the resilience of these business activities and can articulate the resources applied to reducing exposure to these threats along with the actual dollars it takes to perform this mission.
Any threat actor has a motivation to utilize something of value that you have. The types of commodities you possess will point to the types of likely actors and their tactics, techniques and procedures (TTP). This assessment will then point to the countermeasures you need to deploy to combat those TTPs and allow you to capture the labor and material costs associated with them. When evaluating your own program, how much capability per dollar spent are you getting?
About the Author
Adam Meyer is chief security strategist at SurfWatch Labs, a cyber risk intelligence company. Prior to joining SurfWatch Labs he was CISO at Washington Metropolitan Transit Authority, one the largest public transportation systems in the United States, and director of information assurance and command IA program manager for the Naval Air Warfare Center, Naval Air Systems Command, one of the Navy's premier engineering and acquisition commands