When It Comes To Your Information Security Program, Don’t Go With Your Gut

“Go with your gut!” is a phrase spoken in business every day. Many executives have learned to trust their intuition and lean on it for both minor and major decisions. After all, not everything can be quantified neatly. The human factor and personal experience can never be (and should never be) completely removed from any business equation.

Here’s the problem: when it comes to information security (IS) programs, businesses are too often only going with their gut. Do that, and you’re likely accepting an uncomfortable amount of risk for your organization. Here’s why.

Assumptions are deadly Gut feelings are based largely on assumptions. Some executives might assume, “Our organization has data that would be considered low value to a hacker. Plus, we aren’t required to adhere to any ‘official’ security compliance requirements in our industry. Given those two facts, we aren’t a major target for hackers. The possibility of a breach is slim. Further, given that budgets are tight, why put serious money into information security? It would be wasted.”

All of these points are assumptions – they are subjective assessments, not based on hard facts. How do you know your data is “low value”? How do you know what hackers are looking for? How do you know that the possibility of a breach is slim? The answer? You don’t. Your gut has just led you into a potentially dangerous situation by causing you to apply only a grudging amount of funds toward information security.

Alignment is essential Another place the gut gets in the way is when executives assign what they feel is a “reasonable” amount to information security, but they don’t then take the time to align those funds to protect their most important assets. Instead, they sprinkle security throughout their organization, treating all assets (whether high-value targets or low-value targets) as if they had the same level of risk. Oftentimes, the funds go to protecting only one layer of their infrastructure – the edge network. This usually “feels” right to the gut. The belief is that intruders will recognize you have a secure “front door,” and focus their efforts on less formidable targets. The security budget in these organizations is often subjectively determined and not based on a true assessment of risk to the business. The risk is considerable, however, if the edge network is penetrated. Once hackers are in the “front door,” they have near free reign of the environment.

Analytics are key Another mistake organizations make that encourages a “gut” approach is that they do not look at the level of risk mitigated based on the amount spent on security services. In other words, they lack metrics to assess the value of threats mitigated vs. security budget. For example, if a metric were to show 1,000 malicious attacks thwarted over the entire enterprise for a $1,000/month security budget allocation, then the business could easily assess if that spend was justified for the level of risk mitigated.

Metrics that can override gut feelings are:

• The cost of damage from a malicious attack
• The cost to protect assets against defined risks
• The probability of data loss
• The cost of data loss
• The cost of downtime per protected asset

Even fundamental metrics help an organization 1) assess whether they are truly a low or high probability target for a security risk, and 2) determine if their budgets are aligned with protecting their assets against their greatest business vulnerabilities – security or otherwise.

Moving away from gut feelings There are many tools available to help organizations avoid the gut feeling pitfall. For example, Security Information and Event Management (SIEM) tools provide a robust level of reporting that can aid an organization in measuring and tracking metrics. Among other things, these tools can be used to quantify the threats mitigated in an environment. For example, there are canned reports available from one SIEM tool, McAfee Enterprise Security Manager, such as: the Top Malware Types Detected, Hosts With The Most Malware, and Password Guessing Attempts By Host. Additionally, there are canned reports that don’t directly measure attacks thwarted, but aid with quantifying risk exposure. Reports such as Patches That Failed To Install, Anti-Malware Which Failed To Update, or Access To Policy Violations are examples of reports that aid an organization in this initiative.

Metrics are only part of the equation, of course. A successful IS program involves the necessary commitment of people, processes, and technology. It is strongly recommended to take advantage of Managed Security Services Providers (MSSP), of which there are many. MSSPs greatly shorten the time required for a company to realize value from security tools deployed in their organizations, as well as provide qualified people who follow standard processes.

Additionally, the multi-tenant solutions provided by MSSPs provide collective security knowledge, something an organization cannot create on their own internally. Collective security knowledge includes not only best practices realized during the installation and configuration of tools or the deployment of a security program, but also leverages the security risks that MSSPs encounter across their entire customer base. That benefit is analogous to looking out your window for a weather report vs. obtaining a 5-day regional forecast. You can see a much broader picture with the collective knowledge of all weather stations for your region than you can by looking out the window at a particular moment.

Make a business decision, not a gut decision With the flood of security breaches reported in the news recently, organizations have become desensitized to the risk. Further, the threat level is dynamic based on factors such as industry group, perceived political leanings, time of year, value of assets, etc. In such an environment, it is tempting to “go with your gut.”

By leaving the gut approach behind, organizations can better understand the level of risk they are assuming and make fact-based decisions regarding their security services budget to appropriately align those funds in a value-based manner.