When you think about it, an enterprise's budget is really a reflection of their priorities. James McGovern posted a set of principles to guide security architects' on some all important budget and prioritization issues
Principle One: Auditors sometimes have more of a say in enterprise spending than the enterprise itself
This is pretty clearly a common anti-pattern. I have seen first hand numerous 7 figure security projects driven by a single checkbox on auditor's report list, while low 6 figure projects that could drive a lot of value to the enterprise remain taxiing on the tarmac, not approved for lift-off. Hoff summarized a better way to think about this as being asset focused not auditor focused. Be in charge of your own priorities, its ok to outsource some things, but prioritization shouldn't be one of them
Principle Two: An asset is not valued on what you spend to acquire it
Gunnar believes that the security spend should track in alignment with the money invested. While this is philosophically true, reality states that enterprises spend way too much on certain technologies which can skew the results. For example, if I spend $50 million for a strategic architecture platform created by your favorite insulantcy that flies in kindergartner's from all over the planet to deliver chock-a-block eye candy Powerpoint only to deliver a 10,000 line Hello World application doesn't mean that I should spend a lot to protect it.
To be clear, I think an asset is worth at least what you pay for development and maintenance. It could be worth much more (especially if you like making profits). The metric to track the book value gives you a floor value that the asset is worth at least $X doesn't imply that another line item could have a higher value. Note, I learned this from Pete Lindstrom. I look at this as a starting point for prioritization, not an end game. In other words, lay out the amount you have invested in your assets, to get the rough priorities by book value, then make the case for why asset a could generate more cash than asset b.
Principle Three: Security follows the keep it simple stupid (KISS) philosophy
Which is simplier showing an auditor that I comply to a complex password policy scheme by pulling up the domain policy on my Active Directory domain or demonstrating that none of my applications have CSRF exposure? When you keep things simple, you can allow more people to participate. I could take recent college graduates with absolutely zero IT experience or my seven year old son for that matter and teach them how to audit IT ecosystems if there are dialogs that present information.Real security requires knowledge of software development which fewer folks in the US have. Likewise, budgeting within an enterprise context is a team sport where lots of folks get to add in their two cents. It is simply easier if you go after simple things even if it doesn't address the root cause of any issue, past, present or future than it is to get folks to understand the root cause of something more important.
The ability for people of any ability to participate even in conversations they don't understand cannot be underestimated. Consider the simple fact that in order to be a PCI auditor, you don't even have to know how to code. You will probably find that you can put up a buffer overflow in Powerpoint in front of most PCI auditors and they wouldn't even recognize it.
Amen to that. I am also reminded of Dan Geer's oft stated position that the purpose of security metrics is for decision support, specifically to enable non-security experts (99% of IT) to make better security decisions. This is a very powerful goal. Think about how many security decisions are made each day in IT. Almost every meeting there are implicit tradeoffs that involve security yet they are made in ad hoc way and so decisions are backed into. Partially because of lack of knowledge, partially communication, partially lack of awareness, but the reality is that simple metrics can enable people to make better security decisions, they don't have to know the history of cryptography to know that a signed token is more secure than an unsigned one.
Principle Four: Everything is important, but what is more important?
Gartner can provide magic quadrants for closed source proprietary products all day. If you want to understand what is the hottest ECM platform, they could tell you what is best between Alfresco, Interwoven, Documentum and so on. They of course have no clue as to which platform is more secure.If you need a log management platform, you could get guidance from Forrester and they will guide you on choices from logarythm, splunk and loglogic. Likewise, Burton Group can guide you on what is the best offering on federated identity ranging from Oracle OIM, PingIdentity, OpenSSO and so on.
Bet you can't find a single analyst firm that would be willing to guide you on which is more important, log management or federated identity? You will get posturing, lots of hand waving and ultimately little useful guidance. Enterprises are constrained by budgets and sometimes only get to pick one category and how this is resolved has as much integrity as flipping a coin.
Its not just analyst firms there is widespread confusion in infosec as well. For my money I think you start with the value of the asset and proceed from there. As to the next steps, you have to decide how much goes to helping the good guys get their jobs done (AAA) and how much goes to keeping bad guys out (input validation, output encoding, ...).
Principle Five: You are only allowed to be proactive once per year
We all collectively acknowledge that security isn't keeping up with business innovation and therefore when given money to spend, it is usually to fix something that is known busted. So forget proactiveness when reactionary decision making rules the day. Some of this is due to visibility and initiatives such as OWASP can help but much of this is more inline with how humans behave.Ask yourself this question. If you were Chief Security Architect and wanted to address some gaping vulnerabilities within your ecosystem and new that an exploit were imminent, would it be easier to proactively sell or to sit back and watch it happen and then ask for funding, which would be easier in terms of time, work/life balance and your soul...
Hi,
Your post nice and informative. The latest buzz is that enterprise security plans are not keeping pace with rapid business adoption of cloud computing, social networking and other new technologies.
Would suggest you to go through this article for full details -
http://www.webguild.org/2009/06/enterprise-security-is-not-keeping-pace-with-cloud-computing.php?p=p2
Posted by: hannahhkelly | June 10, 2009 at 06:01 AM