Why Should We Spend on Security?

There is a dull hum permeating the industry of late – security is dead some say, others think it to be too costly to maintain, others still believe that what is needed is a change of perspective, perhaps a radical shift in how we approach the problem. What underlies all of these positions is a belief that the status quo is woefully ineffective and the industry is slated for self-destruction or, as a whole, we will succumb to a digital catastrophe that would have been avoided if only we had just…well, just done something different from whatever it is we are doing at the time something bad happens.

As we go round and round on the never ending hamster wheels provided as best practice guidelines by security vendors, consultants, and pundits, we find ourselves trapped in an OODA loop that will forever deny us victory against malicious actors because we will never become faster, or more agile than our opponents. But to believe one can win, implies that there is an end that can be obtained, a victory that can be held high as a guiding light for all those trapped in eternal security darkness. We are as secure as we need to be at any given moment, until we are no longer so – when that happens, regardless of what you may believe, is outside of of our control.

So then why should IT spend on security? What would motivate one to reach back into their budgets and spend on something like DLP, or NAC, or SIEM, or a next-generation firewall/IPS/lawn-mower/coffee-grinder/desert topping/floor-wax?

Before we can answer that question, let’s first look at what doesn’t drive an organization to spend on security

  • A desire to do the right thing to protect employees and customers from potential harm resulting from a breach does not drive an organization to spend on security, unless the organization is run by hippies, and it is 1968, and Berkeley is the capital of the US, and the company sells marijuana-laced smoothies.
  • A belief that increased spend on security and the latest widgets will differentiate the business in a competitive market doesn’t drive an organization to spend on security because no one really believes that it will (and they’re right, it doesn’t)
  • Security as a business enabler doesn’t drive organizations to spend on security, because security doesn’t really enable the business to increase the bottom line and quite honestly that is the only business enabler the guy with the purse strings cares about.
  • ROI doesn’t drive organizations to spend on security, because there generally isn’t one/any (here)
  • Attempting to stop all bad things from happening doesn’t drive an organization to spend on security because they can’t and they know it
  • Grumpy, security curmudgeons that tire at the stupidity of upper management and the lack of insight that is common knowledge among the security-elite, or the securiati as they are also known, doesn’t drive organizations to spend on security.

What does drive an organization to spend on security?

  • A security incident will drive an organization to spend on security and to ensure that exact incident doesn’t happen again. But it does, generally with only slight variability from the original, so technically it will be argued as being something different all together
  • A compliance or regulatory initiative, such as the recent OMB mandate for FDCC (here), or PCI, or SOX, can drive an organization to spend on security, but we all know that being compliant doesn’t really mean one has done anything to improve their security posture.
  • When security crosses the chasm and starts impacting availability then an organization will spend on security, not to be more secure, but to ensure availability.

Now I know that someone is going to mention that organizations will spend on security to ensure confidentiality of data, and I suppose one could make such an argument, but if that were true then encryption, especially at the database and application layer, would be the hottest thing since Joanie loves Chachi and breaches would be non-existent since all that confidential data would remain confidential. Same goes for integrity.

So most organizations will spend on security as a result of a security incident, or because they are compelled to as part of a compliance, or regulatory initiative, or because availability is threatened. If that is true, and I would argue it is, then is it any wonder that we are all so disenchanted?

16 thoughts on “Why Should We Spend on Security?

  1. Hey Amrit,

    Good stuff, that! (Well -except I’m not a big proponent of database encryption, but that’s just me)

    Of your three drivers, it’s been my experience that, without some other means of communication, the first two (incident & compliance) aren’t sustainable long term.

    Without naming names, I can talk about companies that had “headline breaches”, fired everyone in security post-breach, spent a huge bucket of set-aside money on all sorts of toys, hired some of the brightest in the local talent pool, and then after 18 months forgot the whole thing existed. The talent was left to play with their toys, as long as it didn’t cause any substantial change to anyone else (various desktop agents remain shelf-ware due to politics).

    Second, compliance is all well and good, until the data owners don’t care. When compliance gets in the way of revenue, it’s not revenue that gets chucked out the window. I’ve seen Fortune 500 CEOs publicly say that they were 100% behind compliance. So serious were they that “the gov’t mandated risk assessment wouldn’t be needed because their company would assume likelihood = 1” (actual quote from CEO). Yet a year later when it came time to increase the budget to cover the recommendations…

    I think you’re spot on with availability, however. I would offer that in our haste to latch onto availability fears, it’s been difficult not to still think about packets, rather than time & money. And data owners really only care about are those metrics. The “number of nine’s” we can provide is only relevant as they impact the number of George Washingtons brought (or not brought) into the corporate coffer.

    So to me, this is why the language of risk makes sense. Only when you frame the metrics in (probable) time & money can you match the risk tolerance of the organization to the effort required to keep things available (or rather, keeping things from becoming not available).

  2. Pingback: Communicating Risk & Macs Can Do Anything | RiskAnalys.is

  3. @ Alex,

    How did I know that you would bring risk management into the discussion?

    you are absolutely right both incidents and compliance feed the 6 month shelf-life of an executives ability to remember why they spend on security – sure a worm may have devastated the availability of the network and caused services to come to a screeching halt, but hey it hasn’t happened in about 6 months so why do I still need that $180k inline device doohickey?

    As for compliance, well a lack of teeth results in poor decisions to just pass an audit. Here is a typical conversation I would have as an analyst that covered SIEM and Log Management back in 05/06 time frame.

    Client: Hi I am looking for a tool that can collect all raw log data from all network, security and host devices in my organization and then store that data for 3-5 years – which tools provide that ability?

    Me: Let me ask you a more fundamental question – what problem are you trying to solve? What solution do you believe this application of log management will provide you?

    Client: The SOX audit guy told me I had to

    Me: Ah, well listen, if the organization has no business case they can make for the use of a technology beyond adhering to the whims of an auditor I would suggest that you argue that this is not a viable solution to your SOX initiatives. I would be happy to send you supporting documents to make your case.

    Do you know how many people just bought crap without taking the time to question? Lots, far too many

    Anyway, you are right about availability and the time and money aspect. In fact that is what drove anti-spam. First Spam was seen as a security issue, then it turns out that upwards of 70+% of all email traffic was spam and the problem became a networking/infrastructure issue – it affected availability.

    The organization had to implement either additional email infrastructure to handle the dramatic increase in traffic – which cost time and money, or they had to throttle email traffic – which caused issues with user experience, or they had to implement anti-spam technologies – which work pretty well, but initially would block good email far too frequently so there was tuning and product maturity that leaves us where we are today – which is good enough anti-spam for business to function, without a dramatic overload on the time and money required to function. It isn’t perfect and there is more spam slapping against the wall then before but we seem to have found that happy medium between good enough and justifiable costs.

  4. “When security crosses the chasm and starts impacting availability then an organization will spend on security, not to be more secure, but to ensure availability.”


    My experience is that when security affects availability, money will get spent & problems will get solved. But also, when security diverts resources from operational sorts of things that have an indirect impact on availability, the security problems get escalated and solved also. So if a constant stream of hacked web severs, e-mail worms or botted desktops affect staff’s ability to do their normal jobs, the security problem will also get solved.

  5. @ Michael

    I don’t know if I would go so far as to say that the security problem would get solved, but certainly one could argue that the availability problem would be limited to an acceptable level.

  6. @ Rob,

    Ok, now I understand what you meant. So I think that in some isolated cases the fear of litigation will force organizations to spend on security, but this is no different than spend on compliance to pass an audit – that is, the result is not to improve the security posture of an organization, implement efficient or effective controls (whether they be detective, preventative, or otherwise), or limit the underlying risk from threat, but to limit the risk resulting from litigation.

    Historically, though, for profit companies have shown little interest in spending on controls, of any nature, to prevent future litigation if the controls negatively impact the bottom line. From baby food, to pet food, to children’s toys, to automobile tires, to automobiles themselves, to our food supply, to alcohol and tobacco, to just about anything that is sold today, there has been little effort on the part of corporations to proactively prevent litigation, in fact there is a general stance to ignore known issues of safety and security until forced to respond because of the threat of litigation, and in many of those cases the companies simply pay the fines and move on.

  7. We should remember that not all our decisions are entirely rational. The need for security is something that is already part of our unconcious thinking. It would be very hard to find an executive that says “we don’t need security”. You’ll find one saying that too much security is not necessary, but I doubt you’ll find one saying that security is not needed at all.

    The rational thinking appears only when executives are bugged by some security aspect, mostly cost or productivity impact. Then they’ll look at the problem rationally and try to identify how much security they need.

  8. Amrit, I think you’re dead on about those three reasons, truly.

    But I think there is still reality to deal with, and reality does allow those other options to drive security spending in various cases, whether mistaken or not.

    In fact, I think a company following the advice of their credible security team to implement some measures without those three reasons is an exception, but also an ideal us security geeks would like. Yes, there are plenty who want to secure every little bit, but there are also plenty who do some form of risk assessment and only ask for what makes the most impact. We might not have a formal risk analysis methodology, but we do this assessment every day in our daily lives, let alone the life of the company.

    In the end, your three resultant reasons are the bottom line that catches every organization. The reasons you dismissed appear now and then in some organizations, but I wouldn’t bank on those or expect those by default.

    Us sec geeks need to accept those three reasons in the absence of the others, otherwise yes, we’ll continue to be frustrated and disillusioned.

    I posted more on my own blog, but I wouldn’t mind keeping any discussion here. 🙂

  9. Pingback: Why Should IT Spend on Security « Mind Traffic

  10. Hi Amritw

    Interesting blog with some very poignant comments, the reality of security boils down to a simple equation..

    An incident leading to loss of business profit (cause) = spend on security controls (effect)

    Everything else including legislation is window dressing! – sad but true I have yet to work for an organisation either commercial or government that defines security in any other way – for example take the UK HMRC data loss incident late last year, the HMRC had operational controls in place that should have prevented data from being exported, the knee jerk reaction to this problem was to deploy encryption to almost everything across UK government at an estimated cost of a few £100m – has the encryption silver bullet fixed the problem? I think not but only time will tell.

    An excellent example of the cause and effect equation in motion for sure!

  11. Pingback: Mission Accomplished: There is NO Future in Security « Observations of a digitally enlightened mind

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s