Tuesday, April 27, 2010

The Value of Corporate Secrets - Review and Critique

I wrote the following piece as a critique of Forrester's The Value of Corporate Secrets (link). While I appreciate the effort and the survey that went into the paper, I am disappointed by the overall conclusions the authors made.


A CRITIQUE OF THE VALUE OF CORPORATE SECRETS

By Mike Hale

IT Security spending is subject to the same debates as any other budgetary area in today’s enterprise. Budgets are designed to allocate finite resources among infinite demand. Finding the right balance among various priorities is a constant challenge for key decision makers.

Within Information Technology, different areas are all competing for a limited amount of dollars. The slice that is allocated toward Information Security must be prioritized to meet the requirements of the enterprise, which includes satisfying regulatory, policy, and personnel concerns. Other areas of expenditure are more infrastructure focused, such as IPS, IDS, monitoring and management systems. In all cases, the expenditures should be scrutinized to ensure that they efficiently benefit the department and the enterprise as a whole.
Forrester Consulting was engaged by Microsoft and RSA to conduct an assessment of IT Security practices among large enterprises throughout North America, Europe and Australia. After an analysis of the results, the key findings included the value of corporate secrets, the spending pattern in relation to those secrets, and how the value thereof influences the number of security incidents.

While many of the key findings are plausible based strictly on the results of the surveys conducted, the lack of in-depth research casts many of the key findings into doubt. For instance, a key point in the paper is that “investments are overweighed toward compliance.” However, this conclusion assumes that compliance and securing sensitive corporate information are mutually exclusive. Such an assumption oversimplifies the complexities of IT Security. This is just one example of the many instance of cursory analysis found in the Report.

Value of Secrets

In conducting their surveys, Forrester allowed the Chief Information Security Officers (CISO) to place a value on the secrets under their care. While this appears to be a good way of determining overall metrics, I do not believe that these values are inherently accurate. A CISO’s area of responsibility lies in determining security policies and enforcing them, not in determining accurate business data values. While they certainly understand what data is important to the company, only someone who is knowledgeable about the material itself, as well as the market as a whole, can place a true price on these secrets. CISOs, by the nature of their position, have neither the time, budget, nor purview to accurately perform market research or perform competitor analysis on all pieces of information in their inventory. Therefore, great care must be taken before determining action based on the “value” as presented in these findings.

Compliance Spending

The Forrester report also fails to correctly analyze its data in the purported key finding that companies overspend on compliance. The Report justifies its finding by the following statements:
“Enterprises devote 80% of their security budgets to two priorities: compliance and securing sensitive corporate information, with the same percentage (about 40%) devoted to each. But secrets comprise 62% of the overall information portfolio’s total value while compliance-related custodial data comprises just 38%, a much smaller proportion. This strongly suggests that investments are overweighed toward compliance.

Specifically, Forrester found that, on average, 39% of the budget is related to compliance of various types. Unfortunately, the Report glosses over the fact that a fairly large portion of these expenditures are dedicated to complying with internal security policies. The Report assumes that compliance with these policies has no impact on security as a whole. Considering that internal security policies are designed to secure the corporate network (and, by extension, corporate secrets), compliance with these policies does have a positive impact on overall security.

In addition to the compliance spending data, their findings indicate that only 41% of the budget is dedicated to directly protecting corporate secrets. However, even if just half of the compliance spending is spent on internal compliance, and further assuming that half of this is dedicated to protecting secrets in some way, an additional ten percent is added to protecting corporate secrets. You now have 50% of your budget dedicated to protecting secrets, while only 20% is dedicated to complying with external requirements. Although these assumptions are speculative, they are conservative in nature. In any case, Forrester’s failure to properly account for these issues in their analysis destroys one of their most central findings.

Accident Prevention

Forrester found that enterprises focus on preventing accidents, but indicates that this focus is misplaced because of the ratio of cost due to intentional damages is higher. The Report does show that accidents were the cause of a majority of security incidents over the past two years. It then goes on to quantify the damage caused by these security incidents, and correctly indicates that intentional incidents (that is, incidents caused intentionally by an employee or an outsider) are much costlier to fix than the accidental ones. What the Report fails to analyze is how a focus on preventing accidents has lowered the cost of these damages, and how the cost of preventing accidents factors into the security budget as a whole.

For example, implementing and verifying data encryption can be done with a relatively low cost, and will serve to drastically minimize the damage wrought by accidental losses. Furthermore, the Report bridges the perception of risk with budgetary investments, an assumption that does not appear to be backed up with hard data. The Report found that the enterprise perception of the likelihood of incidents was greatly focused on accidents. They then drew a conclusion that, because of this risk perception, enterprise security investments are overly biased toward preventing employee mistakes. The data found in the Report does not substantiate this finding's conclusion as it fails to specifically mention time or budget investments involved.

Number of Incidents

The Report appears to correctly quantify the number of incidents, and the cost thereof, in relation to the size of the enterprise. The Report indicates that “Enterprises with more valuable information must spend more time and effort securing them.” This conclusion is accurate, as is their statement that “Enterprises are not spending enough effort protecting data from theft and abuse by outside parties.”

That said, this finding is not without its issues. It does not clarify sufficiently how the enterprises reach the figure of cost per incident. While it is entirely reasonable, though somewhat excessive, that an exploited server could cost $300,000 to repair and recover from, it would seem that the survey overstated the impact of a lost smart-phone. $11,000 for a lost smart-phone appears to be inordinately high. It would have been helpful to include a survey on the items that affect the costs of the response to the security incidents.
CISOs Do Not Know How Good Their Controls Are

This key finding is another area where Forrester fails to correctly make their case. The data does not support their conclusion that “CISOs do not know how effective their security controls are.” Security controls are generally of three types: Preventative, Detective, and Corrective. In the Payment Card Industry Data Security Standard (PCI-DSS), there is also a compensating control, which is a control that is designed to compensate for a failure to comply with a certain aspect of the Standard. For example, the loss of a laptop is a security incident. However, using a preventative control such as FDE minimizes the damage. Strong controls can reduce the occurrence of security incidents, but not always. Since the number of incidents need not correlate to the strength of the controls, the conclusion that CISOs overstate the effectiveness of their controls can not be made as simply as Forrester attempts.

Recommendations

Despite its troubling method for reaching conclusions, the Reports’ recommendations are solid, and should be given serious consideration by large and small enterprises. However, I disagree with their two risk categories, as it oversimplifies the risk management process. Regulatory punishment should be added as a consequence of the risk not being compensated for. This ensures that risks are controlled based on their total consequence, not simply by a compliance policy. One additional aspect which must be considered is the PR and marketing fall-out from an exposure. The Report fails to adequately quantify the cost of a high-exposure data leak, and this must be looked at in any risk assessment.

The most important recommendation made by the Report is to “increase vigilance of external and third-party business relationships.” This is of vital importance based on the results of the surveys, and enterprises must ensure that any access to data is only given to those parties who are willing and able to secure this data to the same, or higher, standard as the data owners themselves.

Methodology Issues

The Report’s methodology is adequate for a shallow survey, but falls short of a thorough piece of research. It furthermore fails to provide sufficient backing for many of the conclusions made. There are many questions left unasked, and without those answers, the Report should be unable to come to the conclusions it did. For example, the lack of thoroughly determining how internal compliance spending is allocated completely destroys the legitimacy of the compliance spending conclusion.

Additionally, identifying the most valuable information is not a task simply accomplished by the CISO or even a team of security analysts. Other decision-makers and data owners must be consulted as well. For example, financial forecasts can be very valuable, but the CFO should be consulted to determine an accurate value for this data. Only after consulting the various data-owners and performing market research and competitive analysis can the enterprise accurately determine the value of data under its care.

The conclusions and key findings reached by this Report are cast into doubt upon a closer examination of the methods used to attain them. The survey, as conducted, simply is not capable of providing sufficient data to reach them.

Nevertheless, many of the recommendations reached by this Report should be closely looked at by enterprises wishing to strengthen their security. This Report is useful as a stepping stone for more in-depth research, but its conclusions should not be used without an in-depth analysis of enterprise-specific spending.

No comments: