What information will a CISO need to guide decisions on an optimal investment strategy for security? There are many possible elements to consider. The first step may be to develop measures or metrics to determine whether existing security con-trols are adequate and cost-effective.
As in any other activity, the degree of standardization can be a useful indicator of value insofar as multiple solutions to the same problems will be more costly. For example, standardized access controls will be easier to manage and monitor than if they are all different in various parts of the organization. From a security perspec-tive, homogenous controls, though easier to manage, will also add a dimension of risk in that a common vulnerability will aggregate risk. The benefits of standardiza-tion will, therefore, to some extent be offset by the need for greater robustness to offset the increased risk associated with a common failure mode.
It may be warranted to attempt to determine financial return on investment of
new or existing security investments to provide the information needed for good de-cisions. Various efforts to calculate return on investment in security have mixed re-sults. Some view security more as an insurance policy and maintain that trying to calculate a return is not productive. Yet it must be recognized that virtually all orga-nizational activities are guided by some form of cost–benefit analysis and, ultimate-ly, security activities must be as well.
Some types of security investments readily lend themselves to financial analysis, whereas others pose more of a challenge. The cost savings for automating certain activities can be easily calculated. The financial benefits of preventing certain events will be more difficult to do with any supportable accuracy. It may be the problem of proving a negative but there have been efforts that may be helpful.
ROSI proposes to assess return on security investments by the amount of the reduc-tion of losses in relareduc-tionship to the investment. The formula is discussed and shown in Chapter 6, Section 6.1.4.
The reduction of losses will often be speculative but in some cases may be sup-portable or even accurate. Historical data may show fairly consistent levels of loss-es over time that a specific course of action can reduce to a definable extent. The decisions will again rest on the most cost-effective means of achieving security ob-jectives. The information needed will be:
앫 Objectives
앫 A measure of the required effectiveness 앫 The degree of required effectiveness achieved 앫 Cost
High-level objectives have been discussed in general terms in Chapter 5, Section 5.1.1 but in this case are likely to be more tactical and specific. They are likely to be related to a defined control objective and the issue will be to determine the cost of the options available at comparable levels of adequate effectiveness. If the control objectives have been defined, the main difficulty will be to determine the degree of required effectiveness and to what extent a particular solution meets the require-ment. The criticality or sensitivity of the resources giving rise to the control objec-tives must be assessed for the level of effectiveness required to be determined.
For high criticality, either a high level of effectiveness coupled with a high level of reliability will be needed or some combination of multiple controls must be lay-ered for a “belt and suspenders” approach that in the aggregate provides an accept-able level of performance.
The decision that needs to be made will require information on:
1. The criticality or sensitivity of the resources. This can be in relative terms and approximated as low, medium, or high.
2. The control objectives in specific terms. What will the control accomplish and how will that be measured? For example, access control that will provide a 99.9% certainty that unauthorized access will not occur.
3. Will the controls considered provide the required level of certainty? Deter-mining this may require testing and/or statistical analysis. For example, two sequential controls with a 97% certainty of precluding unauthorized access and layered should provide the required 99.9% level of certainty.
4. The issue will then be, what combination of controls will provide this level of control at what cost? The costs will need to based on full life cycle TCO com-putations including acquisition, deployment, operation, maintenance, testing, and so on.
5. Consideration must also be given to the fact that 99.9% certainty means that on average, for each thousand events, an unauthorized individual may gain access and the potential impact of that must be considered. Layered access controls will typically include authorization controls as well, which in combi-nation will raise this possibility to a more secure level.
14.3.6 Resource Management—Using Organizational Resources Efficiently and Effectively
What measures are available for the information security manager to determine ef-fective and efficient use of security resources? Considering the stated requirement, effectively would mean that defined objectives for security are achieved; efficiently would require that those objectives were achieved at the lowest cost in time and money.
The set of measures of effectiveness relates to the prior notion of value insofar as cost-effectiveness. However, this is more related to operational concerns, that is, the ongoing utility and operational costs of managing security. Once again, absent objectives, this will be difficult to measure.
The typical resources that must be managed are not significantly different than any other organizational department from a process perspective, although the re-sources will differ. They will comprise personnel, physical, and technical assets.
Some of the decisions that the security manager may need to make could be based on the following issues:
앫 What would constitute effective and efficient resource management?
앫 What measures would be useful?
앫 Can existing resources be used to greater effect?
앫 What processes might be put in place that ensure effective and efficient use of resources?
앫 How would that process be monitored or measured?
One measure would be benchmarking against comparable organizations. If bet-ter security, that is, fewer losses related to security failures, is achieved at lower costs, the argument could be made that it is the result of better resource manage-ment. There could, of course, be other factors but the assertion could certainly be supported.
A useful measure could be resource utilization. For example, a measure of staff productivity could be used as an indicator of resource management. Reductions in the number of controls required to meet objectives would be a good indicator and an ongoing metric.
14.3.7 Performance Measurement—Monitoring and Reporting on Security