Career Opportunities
Events
Career Forum
News & Articles
Recruiters
Register For Our Weekly Newsletter
Catch Up On The Latest Headlines
Thought Leadership Articles
Submit Thought Leadership
 
<< Back

Is IT overspending on security?

Peter Tippett

Organisations need to step back and make a closer assessment of the three components of risk: threat, vulnerability and cost.

Our network and internet security programmes are generally failing.

While viruses, worms and hacking attacks continue to evolve, the costs of security failure have about doubled for each of the last five years. It has been standard practice for too long for companies to counter this trend by investing in additional security technology. In the end, however, they still lag the hackers and the malefactors of malicious code.

All that’s left is a rapidly growing budget with no end in sight to a growing security headache for IT departments.

IT security is all about mitigating organisational risk. No organisation, whether it’s a private firm or government agency, has unlimited resources to apply to security – especially in the current economic climate.

But too many organisations are obsessed with testing and fixing vulnerabilities when there is no associated threat. Or they turn their attention to computer-centric vulnerabilities when the organisation is already reasonably protected, not understanding whether a real risk actually exists.

Organisations need to step back and make a closer assessment of the three components of risk: threat, vulnerability and cost.

Threat is the frequency of potentially adverse events. For example, in early 2005 the threat rate of an insider using somebody else’s logged-in PC to inappropriately access restricted information was approximately four attempts per 1,000 users per day. The threat rate of virus encounters by an organisation with 1000 PCs was about 4,000 per day, while the threat rate of ‘attack-related scans’ was about 440 per IP address per day.

A local organisation’s geography, political stance or some other factor may expose it to more or fewer threats. But instead of focusing on becoming risk experts, most companies need only to deal with potential threat rates. Those threats that never materialise are not worth the extra worry.

I define vulnerability as the likelihood of success of a particular threat against a specific organisation. Computers are either vulnerable or not to a particular threat. Companies almost always provide some way to limit their vulnerability. Even if the controls are individually less than ideal – perhaps individually just 80 percent effective – collectively they still can provide an extremely strong organisational barrier to any threats. What’s more, these controls also are often significantly less-expensive, easier to maintain and less-intrusive than individual, supposedly ‘strong’ controls.

The hard-dollar costs associated with risk are measured in terms of the damage to sales, cash equivalents and the amount of IT-staff time and resources devoted to repair a breach. Then there are ‘soft-dollar’ costs that include meetings, user productivity, public relations damage control, as well as any decrease in public confidence or lost business opportunities.

When at least one of these three components is zero or very small in this equation, there’s no immediate risk to the organisation. This approach eliminates unnecessary spending. It also provides equal or better protection through means that most companies either already have – or can put in place with existing people and technologies.

For example, the built-in lack of vulnerability at the corporate level makes about half of Microsoft’s ‘critical’ patches unnecessary. If you know you have filters, topologies, configurations or other controls that also address a particular risk, you can delay or eliminate another 50 percent to 70 percent of the proposed fixes.

There’s a larger lesson here. Organisations need to first ensure that the basics are in place -- the equivalent of brakes, seat belts and steering, not antilock, antiskid breaks, with rack-and-pinion systems. Best practises are less useful than a comprehensive, risk-based approach that generates practical and achievable security.

Experience has shown and continues to show us, that the dogmatic approach to Information Security is not the correct one. Organisations can prevent costly attacks on their infrastructure when they stop following security dogma and chasing vulnerabilities and fancy new security devices. The Insurance Industry is ideally placed to take a lead in adopting and encouraging, through its client base, a business focused, risk based approach to managing the security challenges we all face.