Security is Free

By their very nature, fads come and go. In the not-too-distant past, we have seen the rise and fall of one-minute management, process reengineering, management by objectives and total quality management (TQM). And although it is often difficult to not be cynical, each fad brings with it some benefits to the organizations that adopt them, even if it is nothing more than providing a reason to challenge existing assumptions and processes that might have outlived their usefulness.

From the cynic’s point of view, the typical implementation of a management fad has three stages. First, management adopts a fad without adequate understanding of it. Next, countless teams and new statistics are created, fostering the appearance of change for the better. Finally, reality sets in, showing that the fad was improperly implemented, resulting in the inevitable drop in morale and productivity.

Information Security Fads

Curiously, these stages seem to parallel the fate of many information security projects. Many security technologies are adopted without an adequate understanding of the capabilities and limitations of the technology. The lack of understanding may be due to inadequate due diligence on the part of the adopters or it may be due to not-quite-true claims by vendors’ sales representatives. The long-past boom in public-key infrastructure (PKI) technology may be a good example of this phenomenon, and the buyer’s remorse that often accompanied the purchase of PKI products at the height of their popularity seemed to parallel the organizational hangover that often follows the poor implementation of a management fad.

In information security, unconventional statistics are often used to justify investments. Instead of the conventional ROI, new metrics, such as return on security investment (ROSI), are often created. Although these innovative statistics may provide an accurate estimate of the benefits of some security technologies, they may also produce undesirable results. In particular, there are organizations in which information security competes for its share of the risk management budget. In this scenario, different metrics for information security projects will probably generate buzz around security — at the expense of other projects that might have an even bigger impact on the organization.

There seem to be parallels between poorly implemented management fads and poorly implemented information security projects. Could there be useful lessons here? The answer is almost certainly yes.

Take, for instance, the history of TQM. As you may recall, TQM was one of the great management fads of the 20th century, peaking in popularity somewhere between 1992 and 1996, at which point virtually every business proudly displayed its quality statement for its customers to see. Now, at least a decade later, talking about TQM with others who have seen it in action creates camaraderie similar to that shared by soldiers who undergo basic training together, with mandatory TQM training taking the place of forced marches in the dark carrying a heavy backpack. On the other hand, TQM did have some principles that seem obvious today, though they were not well received at the time. In particular, one of its claims was that it made more sense to do things correctly from the start - rather than fixing the mistakes after the fact.

W. Edwards Deming first applied the principles of TQM in Japan starting in 1946, but its principles were not accepted by many organizations in the U.S., which kept TQM from gaining significant traction for more than 30 years.

In 1979, Philip Crosby’s book Quality is Free (Signet) finally presented a case for quality that was compelling enough to be taken seriously. His book sold more than 2 million copies and was probably the turning point for TQM. One of Crosby’s arguments was that the cost of poor quality was one of the most relevant metrics to consider, and that if the cost of poor quality was properly measured, it would become apparent that higher quality was essentially free. Before the publication of Quality is Free, many people were skeptical of the value of the higher costs that came with higher quality; after the publication of the book, the consensus changed to accept that the costs of low quality were real and needed to be taken seriously.

Security and Quality

Is information security free in the same sense that quality is free? If we measure the cost of poor information security, will we find that it is actually better to invest in information security than to incur the costs that come with poor security? Answering this question is difficult because the cost of lax information security is difficult to measure. It is easy to quantify the costs of repairing defects that occur in the manufacturing of an automobile, for example, but it is much more difficult to quantify the cost of security breaches that occur because of an inadequate focus on information security. In the case of manufacturing, you have the very real costs of labor and materials that are easy to measure, but in the case of information security, it is very difficult to quantify the value of lost or compromised data.

On the other hand, both quality and security are intangibles. Perhaps Crosby’s insight (i.e., the cost of poor quality is a relevant metric) can help us measure the cost of information security. More specifically, perhaps the cost of poor security is a metric worth serious consideration.

The costs of quality can be divided into three general categories: the cost of prevention, the cost of detection and the cost of nonconformance. When these costs are totaled, we get a good idea of the overall cost of quality. By comparing this cost to the benefits of higher quality, we can get an idea of the ROI from implementing a quality program. If you cannot demonstrate an adequate ROI this way, even the most dedicated quality professionals would not recommend that you implement such a program. We may be able to use a similar approach to quantifying the cost of information security, and if the costs of a security program cannot be justified in this way, it is probably not worth implementing.