Why are you giving information security away for free?
More to the point, why do so many companies today fail to create a holistic financial charge-back model for information security services within their corporation? During my two-plus decades in IT executive management in corporate America, having been both a CIO and a CISO, I have always been confounded by the notion of “free” information security. “Free” information security fails to allocate both cost and risk to the appropriate parties within a company. “Free” information security creates a universe where employees and executives are economically incentivized to intentionally and unintentionally bypass or even ignore the security controls your company is spending a fortune on; and that you are desperately trying to protect your organization with.
Most companies today, especially those who have centralized their technology and business services, have cost allocation models that focus on unit-costing and transactional charges for the catalog of things that they do; from servers to storage. In rare cases however, is information security treated in the same way. Which is fascinating if we pause to consider the implications.
It is commonly understood that information security is simply a “pay-it-forward” version of an insurance policy. It is operational insurance with a twist. Rather than an independent party (like an insurance company with an actuarial department), this insurance policy is funded at a level of perceived risk that has been self-identified by a Board, a CFO, a General Counsel and with some input of the remaining members of the executive leadership team. To be frank, this is why information security organizations are so grossly underfunded today; because the dollar amount a company is currently spending on this function is their perception of the appropriate risk premium they should be paying to keep the company safe from the bad guys. That’s right; companies are underestimating their actual risk of exploit, breach and catastrophe to the point that they are paying the bare minimum budget rate for their operational insurance policy. Which explains why so many companies are shocked and staggered when they do get breached; because the cost of recovery far exceeded anything they imagined, planned for or underpaid the premium for.
A great example of this phenomenon are both the Target and the Sony hacks. Consider this, what if the hundreds of millions of dollars each company has had to pay to recover from those exploits had been spent, instead, on information security solutions and controls? Do you have any doubt that both companies would not only have the most advanced information security functions in the world, but also would most likely have never experienced the breaches to begin with? Given the consequences both companies faced, do you have any doubt they would have gladly funded their information security function if they had the gift of the crystal ball and were 100% certain they would have been crushed to begin with?
One challenge in creating a charge-back model for information security is that it cannot be treated as a simple IT operations function. If this is the approach, then the cost of non-compliance and the penalty for increasing the risk to the company will be too low and employees and executives will simply ignore, work around or intentionally defuse the controls that bind them. Let’s look at a common use case to prove this point.
Your company has a reasonably mature identity and access management program. But, business units and their supporting technology organizations have been very slow to move their applications to the Identity and Access Management technology platform that you have implemented. The arguments and rationalizations are endless; “I don’t have time to move that application in the next 2 years”, “I don’t have budget to do the configuration and connection work necessary”, “I can’t inconvenience my business users with the change in process”. As a result of the push-back, many companies will be forced to swallow the bitter compromise; either the CISO has to set up an access administration function that handles all the provisioning, de-provisioning and entitlement changes manually or the business and/or application owner will do this function themselves manually. In both cases, manual access administration will eventually lead to a security deficiency finding. Manual is risky, prone to error and is the primary contributor to audit failures.
The transactional cost allocation for the information security function must be developed in two parts. First, the chargeback model for applications that have federated to the IAM platform should be representative of true costs; servers, software, technical support, head count, licensing and maintenance divided by the forecasted number of access events that flow through the system. Typically this will be a charge back of dimes and pennies; because automated access control is cheaper. The first part of the chargeback model is simple and straightforward.
Second, manual provisioning can’t just be an equivalent true cost calculation. There must be an inconvenience and sub-optimization penalty added to the cost for manual support. Since we all understand that information security is a pay-it-forward insurance policy and manual control invocation is riskier and dangerous, the addition of a risk premium to the cost allocation model is no different than a teenager paying a higher insurance premium because actuarial history clearly proves that teenagers suck at driving safely.
For the sake of simplicity, let’s set our calculated total cost of personnel, hardware, services, maintenance and licensing to support a manual access control function for one business application that refuses to move to our lower risk IAM platform at $25.00 per transaction. Standard cost allocation practice would suggest that as our volume of transactions increases or more applications chose to stay manually serviced, the cost per transaction should decrease. This decrease will continue until the efficiency of current capacity (human beings, phone queues, ticket/incident systems) have been maxed out and additional capacity needs to be added. But our goal is not a more efficient manual process, because it is still exponentially less secure than an automated solution built specifically for security and risk mitigation. As long as I am only charging a business owner pure pass through costs, that owner has zero motivation to move to the more secure pathway. They will simply factor it into their budgets as an operational cost of doing business and only move if they are demanded to under the worst possible type of mitigation requirement like a material defect, a demand for remediation or even worse – a catastrophic breach.
But, what if you also included the appropriate risk related premium? Instead of $25.00 per manual transaction, what figure would force your business units to change their behavior? This is where the calculation gets tricky. Cost of exploit or breach simulations require assumptions of risk exposure and probabilities of occurrence. Those assumptions and probability calculations tend to be underestimated in corporations today. The most effective way to address this is to simplify the equation by looking toward physics instead of calculus. Think of the risk premium as a lever in the classic way that Archimedes did, “with a long enough lever, I can move the world”. The correct sized lever is the risk premium that makes a business executive respond to the same degree that they do when their jobs and budgets are impacted by a cyber security mess.
Premiums for dangerous drivers and dangerous behaviors should be painful, as they are in every other facet of insurance coverage. If I told that business owner that their risk-based cost per manual transaction is $25.00 in actual cost with an additional charge of $75.00 for the risk premium, I have no doubts that the business owner will immediately protest. As they should, because they are now experiencing the appropriate pain caused by shifting the ownership of risk to the rightful owner, which is not IT or Information Security. More importantly, if I tell that same business owner that by moving to the IAM platform that I run they can experience a reduction from $100.00 per transaction to $.18 per transaction, they now have a very compelling reason to embrace security controls. The case is probably so economically compelling that they will move at light speed to reduce their costs, while coincidentally reducing their risk.
For those who would argue that placing a risk premium on a transactional cost is “unfair”, what is your take on the fairness of an information security organization trying to save your company because of the disastrous configuration of your systems and the bad practices of your own people? Why is it unfair to refuse to pay for fire insurance, smoke detectors, escape plans and fire department services but fair to force your information security organization to constantly be in firefighting mode because they are surrounded by the corporate equivalent of arsonists, both internally and externally?
For those who would argue that this approach results in turning Information Security into a revenue center, you’re missing an extension of the lever that moves the world. As an information security treasure chest grows due to the collection of the premium, that money can be redistributed quarterly or annually to business units and managers that are practicing secure behaviors and continuing to mitigate risk. With this approach, we penalize behaviors that put our company at risk while driving dramatic security control improvement and we finally reward the types behaviors and responses that result in a safer company . Win – win – win.
So, why are you giving information security away for free?