I just wrote a paper on the value of information security. Please see the paper here. It is something I have thought about for a long time. Information security as a technical discipline but someone has to pay for all this fun we are having. My assumption is that as Willie Sutton is quoted as saying "Go where the money is...and go there often.” Today where organized crime and nation states are going is to information. It is amazingly easy to monetize certain kinds of information. There is a buyer for everything that hackers can steal. The impact to business has been debated for some time and we go to great lengths to perform risk assessments. What we don't do such a good job of is monetizing that risk.
Consider this. If we can monetize the information asset, we should be able to monetize the risk to that asset. The key to monetizing risk is knowing the value of the asset at risk. Different systems for risk assessment have been in place for some time. They all seem to revolve around professional judgment. My argument is that using a combination of threat modeling (war planning) plus simple asset monetization will allow us to monetize risk. The results will not be perfect, but they should be directionally correct. As Doug Hubbard says it is better to be directionally correct than specifically wrong.
I just finished a research document titled Measure The Effectiveness Of Your Data Security And Privacy Program for the The Security Architecture And Operations Playbook. This was a lot of fun to write, because I was able to look back at the 50-plus interviews conducted over the last year, all of them focused on the security metrics issue. This seems like such a hard question to answer. My conclusion is that many security organizations are measuring the wrong things.
There are several reasons for this. Here are a few of my observations:
We always measure this.
It’s too hard to get any other data.
Our budgets are fixed so we just do the best we can.
I reported that the managed security services market is growing in our recent Forrester Wave™ covering North American managed security service providers. Trustwave just issued a press release that announced 148% sales growth. This is a significant number in anyone’s book. It does point to the increased growth we are seeing as more and more firms consider and adopt managed services to handle some or all of their security requirements.
Last month, Ed and I spent a couple days in Paris with Orange's management team for their annual analyst event. Overall I was impressed with Orange’s innovation in business service offerings as well as their extensive global reach. Many of the large telecoms (Verizon, AT&T, Sprint, etc.) have had to and very much want to expand their business offerings. The telecoms clearly see platform-as-a-service as the natural extension of their core telecom business. Just selling bandwidth is no longer sufficient for these companies, which is in fact now a commodity business. Orange is no exception. This evolution in the telecom business model has been successful due to the industry’s ability to:
Offer endpoint and network security optimization solutions coherent with their existing bandwidth business. With their unique vantage point over the network, the telecoms are ideally placed to deliver “clean pipe” Internet service by stopping outside network threats before they reach their customers’ endpoints. For instance, Orange’s DDoS protection service can leverage their large global footprint and control over the infrastructure to gather intelligence and exercise defensive measures farther up the stack than most of their non-telecom competitors.
Steve Jobs by Walter Isaacson is a very readable and honest portrayal of one of the most influential personalities in the computer industry from 1980 to the present. Often caustic, abrupt, and driven, Steve Jobs was a man of extreme brilliance who could intuitively understand what makes a great product. His marketing and design shrewdness were without peer. Jobs had his share of failures and more than his share of successes. Apple II, Macintosh, iMac, iPod, iPhone, and all iPad reflect Jobs' ability to orchestrate human capital to create truly innovative products.
A subtext of the book, and not directly called out, however, is Jobs' awareness of the value of intellectual property and the need to secure this. Jobs shows concern for the security of Apple’s intellectual property and goes to great lengths to ensure that security. For example, he imposed strong controls on the design area where the Apple design team works:
“The design studio where Jony Ive reigns, on the ground floor of Two Infinite Loop on the Apple campus, is shielded by tinted windows and a heavy clad, locked door. Just inside is a glass-booth reception desk where two assistants guard access. Even high-level Apple employees are not allowed in without special permission.”
--Isaacson, Walter, Steve Jobs, p. 345, Simon & Schuster, Inc. Kindle Edition.
However, the contribution Jobs makes to information security is an indirect one. This contribution is the recognition that the true value of Apple’s products is in the design. It is not in the physical assets themselves. The idea and its associated intellectual property is the true tangible asset.
Even though it is not specific to security, this idea came to me while attending Dell’s Annual Analyst Conference (DAAC) in Austin, Texas two weeks ago. One of the hot topics discussed at the conference is the issue of bring your own device (BYOD). Dell recognizes this is a major trend and is looking for ways to remain true to its business-to-business DNA but still offer a competitive end-point solution with strong management and security capabilities. This is a problem for companies like Dell because a significant amount of revenue comes from corporate and not consumer sales, but BYOD is a consumer sale.
Not all is lost, however. As corporations move away from purchasing blocks of PCs for their employees, they will still have the capability to influence their employees to purchase certain equipment. The value for the employer is that they can still have some visibility to the types of equipment employees will use. The employee wins because they have assurances that the equipment they purchase has been vetted with some level of assurance that there is compliance with company systems.
What this means is that organizations will need to treat their former business customers as channel partners. I can envision scenarios where device makers provide their former customer marketing funds and special incentive funds (SPIFs) to encourage employees to buy their equipment. They will also be willing to offer the end user customer/employee a volume discount for employees for purchasing specific equipment. All of the major cell phone providers provide this type of program. PC makers, but also other types of device makers, need to start looking at their former customers as channel partners.
Calculating the cost of a data breach should be a part of every organization’s information security risk management strategy. It’s not an easy task by any means, but making efforts to do so upfront — as opposed to after a breach, when calculating cost is the last thing on the to-do list! — for your organization can help to assess risk and justify security investments. But where does one begin, and what should be considered in cost estimates? There are the usual suspects, or direct costs, relating to discovery, response, notification, and damage control such as:
In-house time and labor (IT, legal, PR, incident response, call center, etc)
New technologies or services implemented as a result of the breach to change or repair systems
External consultants or services for incident response
Through this process, we uncovered a market that we believe is currently ripe for a major disruption: market demand for managed security services (MSS) remains extremely strong, customer satisfaction is higher than we’ve seen in the past, and current MSSPs tend to compete on delivery, customer service, and cost.
This isn’t to say MSSPs all currently offer the same services with the same level of quality – not by a long shot. Selecting the right provider still means that you must understand your needs and the areas you feel they can enhance your security program the most. Each MSSP we evaluated has solid overall security capabilities, but has unique strengths in certain security areas and use different deployment methods to bring their offerings to bear.
At the same time, however, we hear more decisions today come down to cost and execution, and as this becomes more commonplace, we begin to prepare ourselves for a shift in the market. In fact, we believe we’ll see significant changes over the next couple of years for three primary reasons:
I attended two really great presentations at MSPWorld yesterday. This is a very interesting conference, sponsored by the MSPAlliance[i] and co-hosted with IT-Expo but focused on managed service providers. Both dealt with the issue of MSP (MSSP) valuation. Many of the attendees are SMB (MSP/MSSP) business owners and this was a hot topic.
So what is an MSSP worth and if someone wanted to buy a business like this how much should they pay? This is an important question for Forrester’s IT clients because the rules of valuation can help IT clients evaluate potential partners. Financial stability and the intermediate and long-term plans of the MSSP should factor into the decision of selecting an MSSP. In any negotiation it’s also always good to know what the other side is thinking. Here’s the list:
1. Recurring Revenue – What is the firm’s recurring revenue profile? What are the sources of revenue and how much of this revenue comes from long-term (multi-year) contracts?
2. Service Agreements – What is the nature of the service-level agreements the firm has in place with other clients? Do they address risk management and risk sharing? How much liability is the MSSP willing to accept for regulatory compliance and information breaches?
3. Service Revenues – What percentage of the MSSP’s revenue comes from what types of business?
This month I published a new report on information security metrics, best practices as well as a maturity model to measure your maturity in the reporting process. This report outlines the future look of Forrester's solution for security and risk (S&R) professionals looking to build a high-performance security program and organization. We designed this report to help S&R pros develop and report the appropriate security metrics for their security organization. Security metrics are a key initiative for chief information security officers (CISOs) today, but many struggle with picking the right metrics. Some CISOs use a broad-brush approach, using operational metrics to demonstrate security. The problem with this approach is that most people don't understand what the metrics are saying, and they don't understand how these metrics make their lives easier or harder. Good metrics are easy-to-understand, incite actions, and change behavior by providing a clear idea of why the audience cares. When CISOs present metrics, they must be able to clarify "What it means" and "What's in it for me?" Use this paper as a set of guidelines to develop a well-formed security metrics strategy and to drive behavior change and improve performance.