« What Do Bruce Schneier and Warren Buffett Have in Common? | Main | OWASP App Sec San Jose »


Kees Leune

Interesting! Can you elaborate a little more on how you propose to rebalance the IT security spend?


Kees - I don't have a generic plan for how to rebalance the spend, my main goal is to get a sane starting point based on business and asset instead of "this is how we have always done it.: Rebalancing depends on a number factors and constraints - what security services are you set up to deliver, where and how is the most cost effective way to deliver the security services, and so on. So my main goal is not that I have the perfect rebalanced view for everyone, but rather that you should start by taking an objective view.


Wouldn't it make more sense to value an asset at what you can resell it for?

A lot of applications are licensed per user (see MSFT Windows and Office, for example), so they have a disproportionate effect on the costing, but not on the value they deliver.

The data is the most valuable bit (even if you spend less on it). The applications are your biggest cost, but not your biggest value. Applications are also your biggest vulnerabilities.

The network offers a chokepoint for traffic, and is a good opportunity to control traffic. Hence, spending money on the network based control is actually cheaper per node than host based control.

The correct solution, as always is to run audited code which has been well tested for security issues.


Devdas - The budget numbers described to value the asset are the starting point to generate the floor value - the minimum number. I have also used revenue generation by asset to generate the ceiling. This can be interesting to compare, but you generally need to do it on an app by app basis - how much revenue do leveraged assets like a network provide?

To your second point, I think there are many cases where network security can be among the most cost effective solutions, but this is not generally the way the case is made. I am just trying to move thinking in this direction, instead of assuming that future investment priorities in infosec will blindly follow the past.

Devdas Bhagat

Hmmm, I would really like to look at it as "What happens to your company if this data is made public before you want it to, or it gets destroyed"?

If you find yourself going out of compliance with your application licensing , the cost of coming back into compliance is fairly low. OTOH, if your customer data gets public, that's a lot of damage.

What I am trying to say is that cost and value are not the same. Data has a disproportionately higher value to it's cost. Applications have lower value than data (but you can't negotiate costs always, especially with closed data storage formats).

I agree that security investment priorities need to change, but not because of the costing involved.

I prefer to think of security systems as bandages. Securing the network gives a lot of bandaging for the least cost. Securing the application is corrective surgery, expensive but the only fix.

The comments to this entry are closed.