Though it is difficult to quantify ROI for security initiatives, investment in application security is logical for the enterprise, reports Jim Romeo.
In the past year, the University of California, Berkeley, has doubled its security budget – already in the millions – to guard against a multitude of network intrusions attempted every single day.
Like many other organisations, the school depends on extensive collaboration with developers and stake holders, and uses sophisticated applications to solve complex problems. The preeminent challenge, however, is ensuring that these applications are capable of withstanding exploitation from external actors intent on absconding with valuable proprietary and student data.
As application security continues to face challenges, so does corresponding spending to safeguard against known vulnerabilities. Which tools and technologies organisations invest in is a critical concern, though many point out that security objectives are often misaligned with actual needs.
A recent survey of 110 diverse IT organisations – sponsored by Oracle and conducted by IDG Research's CSO Custom Solutions Group – found that "most IT security resources in today's enterprise are allocated to protecting network assets, even though the majority of enterprises believe a database security breach would be the greatest risk to their business." While the findings indicate that nearly 66 percent apply an inside-out security strategy, only 35 percent base their strategy on outside-in protection.
When it comes to actual spending, 67 percent of IT security resources – including budget and staff time – are allocated to protecting the network layer, and a mere 23 percent of resources were allocated to protecting core systems like servers, applications and databases, according to the same research. The study found that the majority expect to spend the same or more this year as compared to last, while next year, 59 percent expect to spend at an even higher level than at present. In fact, according to separate research conducted by Gartner, spending on IT security will top $86 billion by 2016.
David Canellos, president and CEO at PerspecSys, a cloud data protection gateway solution provider, advises his clients to inventory their company's applications and data to know what is truly sensitive. He emphasizes the importance of mapping a security strategy to capital outlay. "The first step is to create a solid IT strategy to drive their investment road map," says Canellos.
Building that map
CSOs and CIOs are challenged with developing a carefully planned portfolio of security tools, techniques and personnel to strengthen applications and networks. Francis Cianfrocca , chairman and CEO of Bayshore Networks, a provider of next-generation firewall technology, emphasizes the need to map out a security plan and says IT leaders could make uninformed investment decisions without one. "You need plans for multiple approaches: defense-in-depth, risk management or a combination of both," he says. "You will need to have a plan in place that shows what your posture is like and what you want it to be."
There is no cookie cutter or best practices approach for application security, he adds. "Industrial sectors, financial, manufacturing, service industries, etc., have not yet emerged with applications by market," says Cianfrocca. "The threat is far ahead of the best practices, and the gap between threat and ability to defend is always being tested."
Knowing your organisation's true security needs is elementary to an investment road map, says Brian Contos, VP and CISO of the advanced threat protection group at Blue Coat Systems, a provider of web surveillance, content filtering, security and WAN optimisation solutions. "Don't invest in trends and products," he says. "Invest in solutions specific to your organisational needs. Shiny new security toys of today collect dust tomorrow if they don't serve a specific, necessary purpose."
This focus will help one select from many different tools and technology. But, IT managers must proceed with caution.
"Do not take a vendor's behaviour and performance claims as gospel," says Brian Monkman, perimeter security programs manager at ICSA Labs, an independent division of Verizon which provides third-party testing and certification of security and health IT products. "One enterprise's infrastructure and traffic mix will be quite different from another," he says. He further cautions against investments in security technology without regard to its specific application. ICSA has determined that product behaviour and performance capabilities can vary significantly, depending on the environment and traffic mix a product has to handle. "Nothing beats robust proof-of-concept testing," he says.
But, Monkman also emphasises the importance of including training as a security investment. Training will enable staff to learn how to configure and manage a particular device. Such education, he says, should also target non-IT employees to demonstrate how to reduce vulnerability to common attacks – like phishing and social engineering – and should offer basic online safety, such as instructing on the use of robust passwords and how to be aware of websites that might prove troublesome.
A focus on staff and work behaviour is essential to a sound and secure working environment. "Typically, money is better invested in people and processes focused on security rather than technology, which continually changes," says Jeff Krull, a partner and information technology expert in the governance and risk management group of accounting firm ParenteBeard. "An intrusion detection system is certainly helpful in identifying vast vulnerabilities, but, if no one reviews and reacts to the data, the investment does not prove effective."
Proper application security investing means spending the right amount, on the right solutions. But how much is too much, and how much is not enough? And how do we measure the return from our investments? For IT leadership, this is an inexact science, requiring skill and savvy to craft a defensible investment, with a corresponding return over time. But a specific return on investment is difficult to quantify.
"It is still challenging to get to a specific ROI on a particular security investment," says Peter George, president of General Dynamics Fidelis Cybersecurity Solutions, a company offering protection against advanced persistent threats. "When I talk with customers about this, I liken security investments to insurance. The ROI only becomes truly apparent when you have mitigated a breach and realize the vast costs in terms of dollars, brand capital, and intellectual property that would have been associated with that breach if it remained undetected."
Other experts agree that calculating ROI for IT security is difficult. "It's like calculating a return on the cost of buying a fire extinguisher," says Manohar Ganshani, a practice partner and network leader of governance risk and compliance at Wipro Consulting Services, a global information technology, consulting and outsourcing company with corporate headquarters in Bangalore, India.
"What will be your response if at the end of year you find there were no events? Security investment is an expense that should be viewed to decrease the risk of loss and the cost of business operations. It does not create anything tangible. Therefore, doing a cost effectiveness analysis is more appropriate than calculating a return on security investment." The truth is, ROI becomes more of an exercise in cost avoidance and limitation of loss, than revenue generation, he says.
"We should not talk about ROI with regard to security investments," says William Mabon, director of cyber security products for BAE Systems, a global defense, aerospace and security company with U.S. headquarters in Arlington, Va. "We lose credibility with the CFO when we do. By definition, we're not talking about security practices that are generating income. Rather, we're talking about limiting loss."
Mabon references two popular alternative frameworks: return on security investment (ROSI) and annualised loss expectancy (ALE). "ROSI, compared to ROI, replaces returns with the risk in dollars, multiplied by the percentage of the threat mitigated by the investment," he says. "ALE is the anticipated loss from a single event multiplied by the expected rate of occurrence."
Investment in IT security is a continuous process that must balance need with available budgetary resources. Security tools, technologies and best practices do not just mitigate IT security risk, but mitigate overall business risk posed from security threats on the IT landscape. CIOs, CSOs and other company leaders need to carefully evaluate all tools and solutions available for their specific need.
Enterprises should be asking vendors for evidence that their track record reflects continual development and improvement, says ICSA Labs' Monkman. "Additionally, enterprises should look at the history of independent third-party security testing the vendor has subjected their product to."
Monkman also says that just because security threats change daily, it doesn't necessarily mean that an investment in a security solution or specific technology won't last a while and stay ahead of threats.
Says Monkman, "Any network security product vendor worth its salt will be constantly running to stay ahead of the bad guys."