As practiced in many companies, Information Security is a confused discipline. There are many contributing factors, but the fact that security budgets are misspent is a leading reason. The budget dollars in infosec are not based on protecting the assets the company needs to conduct business, they are not spent on where the threats and vulnerabilities lie, rather they are spent on infrastructure which happens to be the historical background and hobby interest of the majority of technical people in the industry.
Its great that people have hobbies, and maybe your company can start something like 3M or Google where employees get paid for a few hours a week to do research on things that interest them, however these people's personal hobbies should not drive your security budget.
But the problem is not simply that infrastructure-centric spending dominates infosec. There is the issue of what security's role in the organization is. The triangle of Security concerns shows that there are three differing roles in infosec.
In Identity & Access services, the role of infosec is to deliver security services in pursuit of returns. The enterprise is putting up an eCommerce system, delivering a mobile app or some other profit generating goal, and security's role in this case is to find the right mix of protection and detection schemes.
In Defensive services, the role of security is to act as a hedge against ignorance, creating a margin of safety against threats and vulnerabilities. In Enablement services, the role of security is to get er done - integration and making it all work.
There is not a single team, metric budget line item that adequately encompasses all of these concerns, but this is mission critical stuff for infosec.
During the financial crisis Bill Gross who manages the world's largest bond fund at PIMCO said in response to why bond funds had done so well compared to stocks - "there are times when you worry about the returns on your money, and then there are times when you worry about the returns of your money."
In large part investors in stocks are pursuing the former and investors in bond are pursuing the latter goal. The point here is that metrics, budgets, staffing and architecture for return-orienteed activities are night and day different from those that inform defensive activities. These separate but related concerns generate much of the confusion in infosec today.
In the Intelligent Investor, Ben Graham describes two types of investors - a Defensive investor "places chief emphasis on the avoidance of serious mistakes or losses"; and a Enterprising investor who "devotes time and care to the selection of securities that are both sound and more attractive than the average."
If an investor seeks safety in bonds they are likely to consider issues such as the bond rating (safety - how likely are you to paid back), the maturity date (liquidity), and the issuer standing behind it. These metrics and ratings are all about assessing the safety of the bond issue - return of your money, the next step is to consider the yield, but note that bond investors have yield as a secondary concern. In fact in most environments bonds are not likely to even beat inflation, like say stocks, but they're much more likely to pay out.
If an investors seeks returns, then they will not weight heavily in bonds, but look to stocks using metrics like P/E ratio (cheapness), Return on Equity (quality of the company), balance sheet, and dividend yield. The goal of this stock selection process is to find cheap stocks relative to the earning power value and generate return of the investors capital that exceed bonds.
The point here is that the goal - enterprising or defensive - determines the metric, determines decision making process and outcomes. So its important to separate the enterprising profit seeking concerns from the defensive concerns. An investor with the mythical $100 may say that given where I am at in my career and overall financial goals, I want $60 in bonds and $40 in stocks, but then the entire remainder of the calculations and selections of bond and stock issues is done with domain specific metrics and decision making. They are related because they both serve the investor but they are in fact separate processes.
In the same way, security groups should make the hard allocation decisions up front to allocate dollars and resources to enterprising and defensive activities rather than seeking a single set of metrics that conflate two very different concerns.
Hi Gunnar,
What is your source for your statement that security dollars are "spent on infrastructure"? You imply too much is spent on infrastructure -- compared to what? When I look at the budget for my team (40 people), the vast majority is spent on salaries.
Posted by: Taosecurity | January 12, 2011 at 01:23 PM
Hi Richard
I have done calcs a couple of times, here is one
http://1raindrop.typepad.com/1_raindrop/2008/11/the-economics-of-finding-and-fixing-vulnerabilities-in-distributed-systems-.html
I did not include salaries, I simply used the Public financial data, like Checkpoint is a $1b revenue company which all by itself dwarfed app sec. That by itself is quite silly, and then when you compare the assets that they are protecting it gets worse
Back of the cocktail napkin
NetSec
$1b Checkpoint to protect $40b Cisco per year
vs
AppSec
~$500M (Fortify, Ounce, SPI, ...) to protect $114b (SAP(18b), MSFT (65b), ORCL (31b)) per year
So the "business" is saying that apps are about 3-4x more valuable assets than the network, yet infosec spent 2x on network security vs appsec. Not only is there no alignment its polar opposite.
Posted by: Gunnar | January 12, 2011 at 01:40 PM