Insurance? Cost of Doing Business? Risk Management Gets the Job Done
by Jeff Bardin, The Brave New World of InfoSec
Thu, 2008-05-01 00:43
Topic(s):
There has been much talk about information security either being a cost of doing business or acting as an insurance policy. The debate recently raged in the latest ISSA Journal between Donn Parker and Jos Pols. Donn as you may remember proposed the Parkerian Hexad some years ago (or you may not know since it didn’t take). Regardless, Mr. Parker believes that security must be a cost of doing business and as it seems, regardless what the cost is. I have to say I disagree. Security is going to be a cost of doing business but there will be at determination as to what the base-spend will be. What Mr. Parker believes is that the assessment of information risk doesn’t seem to have an impact on corporate spending relative to information security. He seems to indicate the security spending is going to be what fully protects the environment. The problem is that is not how it works whether it is information security or physical security.
The assessment of risk relative to your most important assets must occur. It is core to an information security program and ties directly to Enterprise Risk Management. It also will help drive information security to a ‘true’ seat at the table alongside all other corporate risk such as market, credit, supply chain, and financial risk non-inclusively. It ensures that information security will be reviewed in concert with all issues that can impact stock price, reputation, and shareholder value. The corporation may choose to forego the security spend since the risk associated in the supply chain space are seen to be more critical. This is what they get paid to do.
Donn indicates that the categorization of security spending an insurance policy enforces the risk-based approach to security that he opposes since insurance is a form of risk transference and the purchase of insurance is a risk-based decision. 
I don’t know anyone as a CISO who I have ever spoken with who looks at information security as insurance. As a matter of fact, most struggle to get information security on the table at the board level. Not for lack of skill. To indicate to a board that they must spend  ## dollars per year as a cost of doing business does not and will not make sense. You will not be asked back to the boardroom.
To categorize information security spend as a cost of doing business is required, but at what level? A fully developed risk management program based upon what assets are important to the company to protect and at what appetite level, is the only way to determine at what level to spend. Basing your program simply on compliance and regulations is a recipe for disaster (just ask Hannaford). Spending based upon your competitors spend doesn’t make sense either (since in most cases there is no way you can find out). Spending on your own risk model that includes regulatory issues; that includes compliance issues; that includes standards and best practices, but is driven on what is critical to your business and what keeps your board members and C-Suite up at night based upon education and awareness, ensures you have the proper spending model. This is all driven by a solid information risk management program that plugs into an overall enterprise risk management program. This is the future of information security. Risk has an economic base and must be delivered as such. Enterprise risk is based on economic deliverables. The C-Suite base their decisions on economics. To forgo this for information security ensures that infosec will remain a fringe and buried line item.
Experience is valuable in this effort but corporate risk will get the attention of the board. Delivering your message in business terms not in terms of firewalls, segregation of duties and intrusion detection is the only effective method to speak on their level in their terms. I don’t think going to the board with a testament from 20 other CISOs on what to do will move them to opening their wallets.  Using your own experience is great but without solid metrics (and they do exist) to support it, your qualitative opinion will only get you so far.
Lastly, indicating that there is no ROI or ROSI to information security spend is not a valid statement. Security spend can definitely enable the company to do many things and failure to recognize this where appropriate is a disservice to your security organization and the company as a whole. 
» read more from Jeff Bardin | post a comment
Ads by TechWords
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
* Denotes a required field
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
The Surest Path to Effective and Efficient Compliance

VeriSignIn this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.

» View the webcast