IT security is considered one of the most arcane areas of technology, where threat and counter-threat exist in a world beyond the understanding of ordinary business brains. Unfortunately, it is the latter group who need to be convinced to sign off on any security investment.
That is why the business case is the most crucial part of any security project. That is the moment when the project has to be explained and justified in terms of the risk and benefits to the business.
There are two false assumptions that need to be dealt with. The biggest problem, it is often claimed, is that business people do not understand information security. “It is a much bigger problem that information security people
don’t understand business,” says Jason Creasey, senior projects manager with the Information Security Forum (ISF).
Security specialists are trained to see threats everywhere and devise ways to deal with them. However, they also need to consider how great the risk is and the value of the system that is at threat, not to mention the damage that could be caused.
“Security managers reporting to senior management tend to talk about how many virus incidents there have been, or how many ‘pings’ on the firewall,” says Simon Oxley managing director of risk management consultants Citicus. “But they need to present information in a business oriented way, so senior management can get a handle on it.”
The second false assumption is that security is all about prevention. Certainly, security has to prevent attacks, but the purpose of it is to facilitate business. Just as good door locks enable people to leave their houses without fear that they will be burgled, so good security ought to be a business enabler.
Each security system should be linked to some kind of business benefit. For example:
Persuading many senior executives to take security seriously requires them to realise that the problem is real and that they are responsible – and that increasingly, they will be held personally responsible.
“Investment should address issues of personal risk with the board members,” says John Madeline, business development director of RSA Security. “Qualitative risks include the impact on brand value and trust from a breach of security.”
On top of that, new regulations such as Sarbanes-Oxley in the US and Basel II in the financial services industry make security a fundamental element of doing business. Basel II, for example, requires financial services companies to conduct a full risk assessment and that must include computer security.
Fortuitously, the British Standards Institute’s BS7799 security standard provides a ready made blueprint. It provides a comprehensive management framework around which an organisation’s security business processes can be built or evaluated against.
It does not go into any technical detail on how to implement firewalls or virus protection. Rather, its managerial focus provides a checklist of objectives that every organisation should achieve in their security processes.
As such, it is written in a language that every business executive should be able to understand and follow.
But BS7799 – and its ISO17799 derivative – are not the only security blueprints. From the US, the Generally Accepted System Security Principles (GASSP) were introduced by the International Information Security Foundation (ISF) as a set of documents on security best practice aimed at major organisations around the world.
In particular, the ISF’s Standard of Good Practice has become a security bible for many major companies, such as car manufacturer Mercedes and drinks giant Coca-Cola. “It is based on the largest security survey in the world,” says Creasey.
The ISF is a global not-for-profit organisation with 260 blue-chip members. All ISF members contribute anonymously to its fast-growing knowledge base of breaches and the ISF distills the guide from what they say. As a result, the ISF knowledge base gives a clear indicator of what is at risk, based on other organisation’s experience.
Such information can then be used to identify internal risks and used as the basis for business case calculations – but these are always likely to be somewhat hazy.
“Making the business case is absolutely not a matter of turning everything into money,” says Creasey. “Return on security investment, or ROSI, is the likely dollar value of an investment, but it is peoples’ unquantifiable problems that cause more trouble.”
Making a financial business case for security therefore requires different calculations. One equation that Creasy quotes is as follows: Overall cost of control = cost of incidents + cost of controls.
In short, put in more security systems and hire more security staff, and the cost of controls goes up, but the cost of incidents ought to go down.
The only problem is that the true cost of individual security incidents can be very hard to pin down, even in hindsight. If a security breach takes down email for a day, it may cost IT several thousand pounds to fix, but the actual cost could be the loss of two customers that account for hundreds or thousands or even millions worth of business.
To evaluate a proposed security control, you need to measure the potential cost of incidents and that means multiplying a very-hard-to-define value for the damage, by a very- hard-to-define probability that it will happen.
Nevertheless, there are some basic rules of thumb that always hold true. “On average if you take a business critical system, there is a surprisingly high chance of suffering a major risk,” says Oxley. “It is about 60%.” Oxley believes that businesses can reduce that risk by a factor of at least three by implementing security controls. He has worked with the ISF on a methodology to do this, called Fundamental Information Risk Management (FIRM).
Management-oriented, it sets up a league table of issues, with simple-to-follow traffic lights to highlight the risks, and condenses the information into a readable two-page report – brevity is the soul of a business case.
FIRM also includes the concept of acceptable levels of risk: “Different people have different risk appetites,” says Oxley.
Making a business decision requires business information and the security industry is, finally, providing that, albeit belatedly.