Calculating the cost of a data breach should be a part of every organization’s information security risk management strategy. It’s not an easy task by any means, but making efforts to do so upfront — as opposed to after a breach, when calculating cost is the last thing on the to-do list! — for your organization can help to assess risk and justify security investments. But where does one begin, and what should be considered in cost estimates? There are the usual suspects, or direct costs, relating to discovery, response, notification, and damage control such as:
In-house time and labor (IT, legal, PR, incident response, call center, etc)
New technologies or services implemented as a result of the breach to change or repair systems
External consultants or services for incident response
Through this process, we uncovered a market that we believe is currently ripe for a major disruption: market demand for managed security services (MSS) remains extremely strong, customer satisfaction is higher than we’ve seen in the past, and current MSSPs tend to compete on delivery, customer service, and cost.
This isn’t to say MSSPs all currently offer the same services with the same level of quality – not by a long shot. Selecting the right provider still means that you must understand your needs and the areas you feel they can enhance your security program the most. Each MSSP we evaluated has solid overall security capabilities, but has unique strengths in certain security areas and use different deployment methods to bring their offerings to bear.
At the same time, however, we hear more decisions today come down to cost and execution, and as this becomes more commonplace, we begin to prepare ourselves for a shift in the market. In fact, we believe we’ll see significant changes over the next couple of years for three primary reasons:
I attended two really great presentations at MSPWorld yesterday. This is a very interesting conference, sponsored by the MSPAlliance[i] and co-hosted with IT-Expo but focused on managed service providers. Both dealt with the issue of MSP (MSSP) valuation. Many of the attendees are SMB (MSP/MSSP) business owners and this was a hot topic.
So what is an MSSP worth and if someone wanted to buy a business like this how much should they pay? This is an important question for Forrester’s IT clients because the rules of valuation can help IT clients evaluate potential partners. Financial stability and the intermediate and long-term plans of the MSSP should factor into the decision of selecting an MSSP. In any negotiation it’s also always good to know what the other side is thinking. Here’s the list:
1. Recurring Revenue – What is the firm’s recurring revenue profile? What are the sources of revenue and how much of this revenue comes from long-term (multi-year) contracts?
2. Service Agreements – What is the nature of the service-level agreements the firm has in place with other clients? Do they address risk management and risk sharing? How much liability is the MSSP willing to accept for regulatory compliance and information breaches?
3. Service Revenues – What percentage of the MSSP’s revenue comes from what types of business?
This month I published a new report on information security metrics, best practices as well as a maturity model to measure your maturity in the reporting process. This report outlines the future look of Forrester's solution for security and risk (S&R) professionals looking to build a high-performance security program and organization. We designed this report to help S&R pros develop and report the appropriate security metrics for their security organization. Security metrics are a key initiative for chief information security officers (CISOs) today, but many struggle with picking the right metrics. Some CISOs use a broad-brush approach, using operational metrics to demonstrate security. The problem with this approach is that most people don't understand what the metrics are saying, and they don't understand how these metrics make their lives easier or harder. Good metrics are easy-to-understand, incite actions, and change behavior by providing a clear idea of why the audience cares. When CISOs present metrics, they must be able to clarify "What it means" and "What's in it for me?" Use this paper as a set of guidelines to develop a well-formed security metrics strategy and to drive behavior change and improve performance.
There are many types of criminals. These include thrill-seeking hackers, politically motivated hackers, organized criminals after financial gain, and state-sponsored groups after financial gain and intellectual property or both. Any of these have the potential to break these capabilities through information loss, or denial of service. Business processes and their associated transactions need to look at information security as a key component of any architectural design we might create as Enterprise Architects.
Security architecture is dependent on the idea of “security.” Security by some definitions is the trade-off of convenience for protection. When I am unloading the car and have an armful of groceries, it's challenging to unlock the front door at the same time. Alternatively I could just leave the front door unlocked but that might invite guests I had not planned for. So I trade convenience for protection.
Security is often seen as in conflict with business users; however, security is a process that protects the business and allows it to effectively operate.
Security is in response to perceived business risks.
Security can be seen as a benefit and a business enabler and can aid organizations to achieve their business objectives.
While you are at the Forrester Security IT Forum in Miami, you might also want to attend my session on Managed Security Services Providers. In my role as an analyst, I speak to many security leaders that wrestle with the outsourcing question. Security is a sensitive topic and many security executives are uncomfortable transferring operational responsibility for this function to a third party.
This presentation will present techniques to help security managers make decisions on what they can trust to a third party and more importantly, what they should outsource to a third party. This should be a lively presentation and discussion on what is a sometimes-controversial topic. I hope to see you there.
At the upcoming Forrester Security IT Forum (November 9) in Miami, Florida, I will present information on President Obama's cybercrime legislative initiative. This presentation and discussion will focus on the pending legislation in Congress and the Obama administration’s proposal to strengthen cybercrime law. There is a real need for this. Today there are 46 states with cybercrime breach reporting laws. While similar, there are enough differences to make reporting more complex. In addition, these laws only address PII and do very little to address other types of cybercrime. This new proposal addresses both PII and attacks on the nation’s critical infrastructure. The proposal stiffens criminal penalties and provides for the Department of Homeland Security to serve as the “new sheriff in town” when it comes to cybercrime.
Also associated with this proposal is a mandatory reporting requirement for organizations that manage more than 10,000 pieces of PII in a twelve-month period, or who provide critical infrastructure. Critical infrastructure is a very broad definition and includes financial services, utility, healthcare, as well as other industries. Please join me in Miami, as we present and discuss the proposal and its impact on private industry. I hope you can join us.
Some of you may have seen the article in the New York Times by John Markoff (endnote1) announcing a paper to be presented at last week’s IEEE conference. This paper is an update to research conducted by a team at the International Computer Science Institute in Berkeley, California. The institute is associated with the University of California, San Diego and the University of California, Berkeley. A paper published by the team in 2008 Spamalytics: An Empirical Analysis of Spam Marketing Conversion outlines interesting research in the area the research team has coined as “spamalytics.”
The paper describes a methodology to understand the architecture of a spam campaign and how a spam message converts into a financial transaction. The team looks at the “conversion rate” or the probability an unsolicited email will create a sale. The team uses a parasitic inﬁltration of an existing botnet infrastructure to analyze two spam campaigns: one designed to propagate a malware Trojan, the other marketing online pharmaceuticals. The team looked at nearly a half billion spam emails to identify:
the number of spam emails successfully delivered
the number of spam emails successfully delivered through popular anti-spam ﬁlters
the number of spam emails that elicit user visits to the advertised sites
At Forrester, we place a great deal of emphasis on relevance and what it means when researching a topic. For the busy executive, it's sometimes difficult to wade through deep lists of operational security metrics and really understand how relevant the information is to the mission of the business. Further to the problem is the need to understand what your metrics say about the security posture of your organization and the health of the business overall.
The draft title of the report I'm currently working on is Information Security Metrics – Present Information That Actually Matters To The Business. In the paper, I plan to focus on the key factors that make security metrics relevant. The idea here is that if people start checking their BlackBerrys and iPhones while you're presenting your report, it's probably time for some new metrics.
Success is the ability to educate positively the C-Level suite in your organization and demonstrate the value you and your information security program provide.
I just finished a final draft of a presentation on information security executive reporting that I and some colleagues will present at the upcoming Forrester IT Forum in Las Vegas. For those of you who want more information on the Forum please see Forrester's IT Forum 2011 in Las Vegas. In this presentation Alissa Dill, Chris McClean and I will present an approach for using the Balanced Scorecard to present security metrics for senior level audiences. For those of you who are not familiar to the Balanced Scorecard, it was originated by Robert Kaplan currently of the Harvard Business School and David Norton as a performance measurement framework that added non-financial performance measures to traditional financial metrics to give managers and executives a 'balanced' view of organizational performance. This tool can be used to:
Align business activities to the vision and strategy of the organization
Improve internal and external communications
Monitor organization performance against strategic goals