The New School of Information Security by Adam Shostack & Andrew Stewart

Author:Adam Shostack & Andrew Stewart
Language: eng
Format: azw3, mobi, epub
Tags: Computers & Information Technology, Computers, Online Safety & Piracy, Nonfiction, Security, Information Technology
ISBN: 9780132702003
Publisher: Pearson Education
Published: 2008-03-26T04:38:35.677660+00:00

How Much Should a Business Spend on Security?

Now that we have touched on conventional and emerging justifications for spending on security, we will delve into the question of how much to spend. This question is especially difficult when the goal of the spending is defined in overly broad terms, such as "to avoid security incidents." If an organization invests in security and then subsequently doesn't suffer a security incident, was the investment in security worthwhile, or did the organization just get lucky? This is a pivotal economic question. If failure never occurs, how can an organization know if spending was justified, or how much spending was justified? When possible, focus security spending on measurable goals, such as standardizing on security technologies across an organization to reduce cost. Doing so makes it easier to determine whether the investment has paid off.

Today, businesses use a number of general strategies to determine their level of security spending. These include waiting to see what breaks and then fixing it, striving for a complete set of security technologies, setting spending levels according to external direction, and using traditional project valuation techniques.

The first, tacit approach is to simply wait until a security incident occurs and then spend whatever amount is necessary to recover. For many businesses, this strategy of "wait and see" is not adopted consciously, but rather by default. Most security practitioners recoil at the very notion, because it suggests an implicit disregard of due care. But from an economic standpoint, it may be a rational strategy if the benefits of security technologies and processes are too difficult to measure. Some very advanced companies have consciously adopted what appears to be a similar approach, although they reach it through a very different route. These businesses have spent extensively on their security programs over several years. They have reached the point where they realize that spending funds on additional defensive measures will lead to only very small additional gains in security. These companies now focus their spending on their ability to recover from incidents, rather than trying to prevent them upfront. The number of businesses in this situation is probably a small fraction of all organizations. But there is an interesting similarity to how both ends of the spending spectrum focus on a reactive strategy, albeit for very different reasons.

The opposite of the "wait and see" strategy is "buy one of everything." This is the strategy of the completist, and it is more likely to be championed by a politician within the organization rather than a technologist. It creates lots of noise and visibility, which is often the intended result. In other words, the manager has lots of positive progress to report. Concrete systems installed, people trained, and lots of activity that management should know about, and, thus, positive exposure for the security manager and his budget. Unfortunately, this strategy is predicated on the assumption that buying and deploying a "complete" suite of security tools will actually deliver operational security. Given our observations about the commercial

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.