Andy Jaquith blogs about Lindstrom's Razor where we establish a floor (minimum) value information assets by counting how much we spend to build, deploy and operate the assets. The simplicity of counting the costs is attractive, as Andy says:
This metric is quite simple to gather (even as a consultant I can generally get these numbers together for clients in a matter of days) and once you do its quite useful for decision support. If businesses simply used the Lindstrom Razor to assess their security alignment, it would greatly reduce the complete misalignment of security spend versus business spend. My cocktail napkin analysis says the network market is ~$39B and the network security market is ~900M, yet the software market is ~98B and the software security market is only ~150M, this just does not add up. If the 2.3% we spend to secure networks is a good number, fine, but that still means software is 0.2% invested in security. Why the lack of alignment?It doesn’t require interviews or any sort of guesswork, just a spreadsheet and a few defensible ideas about how to allocate costs that are known and can be measured.
In other words if security would align with business goals (which spends ~3x more on software) instead of functioning a la Colonel Kurtz in some kind of People's Republic of Information Security (spending 6x more on network security) where balance sheets are irrelevant and the only currency is FUD and threats.
Further, I cannot emphasize enough - its a relatively straightforward metric to communicate and understand in an organization, and if decision support is the goal of metrics then a shared understanding is critical.
Mohnish Pabrai won't buy stock in a company if he needs to use Excel to understand it, Warren Buffett goes one step further saying if you need a computer to understand the business you shouldn't be buying it.
By the way, the asset valuation is not an end in itself, its the starting point for more qualitative discussions which could be "now that we've established a floor let's talk about the ceiling", but from an engineering standpoint we can also use the asset valuation to assess the control efficacy that we can bring to bear on the situation. In other words, the asset valuation combined with what you are willing to spend then lets you put on your security engineering hat to say - given I have x dollars to spend what is the best combinations of controls that I can deliver for that amount.
Believe me, this is not the de rigeur approach to security engineering in most companies - boss plays golf with firewall vendors, contract is renewed, hey what happened to 50% of our infosec budget?
Instead use Lindstrom's Razor as a starting point to align infosec with business goals.
Hey Gunnar,
where did you get these numbers and what would you include in each of these markets?
"My cocktail napkin analysis says...
- the network market is ~$39B
- the network security market is ~900M
- the software market is ~98B
- the software security market is only ~150M"
They seem wildly incorrect - not that it would distract from the point of your article, just curious
Posted by: Amrit | October 21, 2009 at 01:41 PM
@Amrit if you read the link (*) its predicated on teh revenues of the biggest players in their spaces
"Let's look at networks. Obviously Cisco is the biggest, they earned $39.5 Billion last year. Pretty stellar. So spending $900 Million (Checkpoint) to defined $39.5 Billion seems like a pretty good deal.
Except, let's compare software security spending - last year Microsoft earned $60 Billion, SAP $16 billion, and Oracle $22 Billion. So that is about $98 Billion and you are going to "defend" that with allocating $150 Million worth of software security tools?"
* http://1raindrop.typepad.com/1_raindrop/2008/08/software-security-market.html
Posted by: Gunnar | October 21, 2009 at 01:46 PM
Hey Gunnar,
Thanks for the comments. The confusion come from your use of the term "software security tools" and "Network security" market. I assume for the "software security tools" you are really just referring to static and dynamic application analysis and testing tools (fortinet, SPI, watchfire, Ounce labs, etc) and not All software security tools (every piece of security software) which is also referred to as "software security tools". That being said, the total market for all static and dynamic application testing tools is much higher than $150 million
It isn't clear what you are referring to in "network security" since there wasn't a link that explained it, but the "network security" market is orders of magnitude larger than $900m.
I don't think your position holds water because you are comparing total software market size against only one area of security - security tools used as part of the application development process.
Posted by: Amrit | October 22, 2009 at 06:53 PM
@Amrit
the 900M is Checkpoint's annual revenue
the 150M is based on Gary's estimate and some anecdotal on Fortify, Ounce and such.
Again the rest of the analysis is here
http://1raindrop.typepad.com/1_raindrop/2008/08/software-security-market.html
I would generally put testing tools in the assurance category
Its a cocktail napkin analysis, would be happy to work on a more formal one, the idea is to take representatives of the largest players in each niche.
Posted by: Gunnar | October 29, 2009 at 09:24 PM