Value-based infosec
Clearly security controls should save more than they cost, hence in theory organisations should only invest in, operate and maintain controls that are valuable ... but in reality, value-based information risk and security management is far from straightforward.
For starters, we have no choice with some controls: even in a greenfield situation such as a high-tech startup, the very act of designing and building the company depends on a raft of governance and management controls.
Next consider the costs. Controls have lifecycles incurring costs at every stage, starting even before we develop or procure them since someone has to determine the requirements, then specify and search for solutions, then implement and configure them. Once operational, there are costs associated with using controls, plus generally they need to be monitored, managed and maintained, and perhaps eventually retired or replaced. Assigning substantial resources to the controls implies opportunity costs i.e. other investments, spending or saving may be more economic. Being tricky to measure, it is tempting to ignore these costs, lumping them in with all the other costs of doing business ... which may explain the failure of some kinds of control. Complex controls, in particular, require significant care and attention to keep them operating efficiently and effectively. They are rarely fire-and-forget.
Thirdly, consider the benefits. Information security controls rarely eliminate information risks: usually, the best we can hope for is partial mitigation - reducing the probability and/or impact of certain types of incident - and even that is uncertain without associated controls such as monitoring, compliance and assurance. What is the $ value of reducing information risks? If a given control had not been selected and put into operation, how costly would any corresponding incidents have been? How does one even value the protection afforded to brands, reputations, relationships, intellectual property, privacy and lives? Ultimately, due to the next factor, it could be argued that the entire value of an organisation depends on virtually all of its security controls ...
Fourthly come the complexities of the mesh, framework, system or architecture within which individual controls operate. Few if any controls are totally standalone, operating independently of all others, aside from some academic's theoretical models anyway. If a given control is missing or weak, other controls may - or may not - take up the slack, mitigating the risks in other ways. Some (most? All?) controls actually create or increase risks while mitigating others. It's all very well promoting the concept of defence-in-depth with multiple overlapping layers of control, but that creates interdependencies which may even destabilise the whole construct, toppling our house of cards.
Fifthly comes yet another tricky factor: dynamics. Just as the 'control universe' is constantly changing, so are the information risks that the controls are intended to mitigate (thanks at least partly to controls!). Threats are inherently hard to identify and assess, let alone quantify. Vulnerabilities can remain unrecognised and dormant until/unless exploited by threats, causing impacts that can ripple way beyond the information risk and security management function, affecting other organisations, individuals and society at large.
And finally, as if that's not enough already, we have information risks associated with the information risk and security management process itself. Given imperfect and incomplete knowledge of a complex and dynamic situation, we cannot be sure of the net value of our security controls. Given finite resources (budgets!) and capabilities (including our analytical and decision-making capacity), plus competing priorities and other pressures, the extent to which we direct, monitor and control information risk and security activities is limited ... hence partial or complete failures are almost inevitable. Despite our very best efforts, information security and privacy incidents still happen, and with hindsight we can usually point to weak or missing controls that should have prevented them.
Although hindsight has some value,
it is trumped by foresight.
Since forward-thinking value-based information risk and security management is evidently so challenging, what are the alternatives? A few possibilities spring to mind:
- The do-nothing option. Don't even attempt to 'manage' information risks. Ignore the whole thing and hope for the best - at least for the duration of your tenure.
- Security engineering relies on a structured, systematic approach such as that recommended by ISO27k, SP800, COBIT and other standards and methods: it means being methodical and rational, analysing and deciding things in a considered and justifiable manner.
- Compliance-based security involves doing what is formally required, and perhaps no more. A significant problem with this approach is that compliance obligations are mostly imposed on us by third parties to address their requirements, regardless of ours - like, for instance, making a healthy profit, staying in business or having a private life.*
- Best practice security is, for many, an attractive shortcut. Rather than even attempting to figure out an optimal approach for the organisation, they simply run with the herd, implementing 'typical' controls and 'market leading' security products. It's tempting to poke fun at this, pointing out how inefficient and ineffective it can be. On the other hand, lame though it is, it is also fairly quick, easy and low-cost compared to the analytical value or security engineering approach I have been describing. It is, arguably, better than nothing, and better than other suboptimal approaches.
- Expert guidance means seeking professional advice from experienced, competent specialists in the field, like me for instance. Much of my advice is free, including this blog and other social media musings and website content, but clients have the advantage of more in-depth, focused analysis and recommendations tailored to their specific requirements.