Business management fads are a fact of life, and despite the difficulties that they sometimes cause, there are usually good ideas that come along with them worth serious consideration. Some of these can be applied to the field of information security and may provide useful insights to professionals in that field.
By their very nature, fads come and go. In the not-too-distant past, we have seen the rise and fall of one-minute management, process reengineering, management by objectives and total quality management (TQM). And although it is often difficult to not be cynical, each fad brings with it some benefits to the organizations that adopt them, even if it is nothing more than providing a reason to challenge existing assumptions and processes that might have outlived their usefulness.
From the cynics point of view, the typical implementation of a management fad has three stages. First, management adopts a fad without adequate understanding of it. Next, countless teams and new statistics are created, fostering the appearance of change for the better. Finally, reality sets in, showing that the fad was improperly implemented, resulting in the inevitable drop in morale and productivity.
Information Security Fads
Curiously, these stages seem to parallel the fate of many information security projects. Many security technologies are adopted without an adequate understanding of the capabilities and limitations of the technology. The lack of understanding may be due to inadequate due diligence on the part of the adopters or it may be due to not-quite-true claims by vendors sales representatives. The long-past boom in public-key infrastructure (PKI) technology may be a good example of this phenomenon, and the buyers remorse that often accompanied the purchase of PKI products at the height of their popularity seemed to parallel the organizational hangover that often follows the poor implementation of a management fad.
In information security, unconventional statistics are often used to justify investments. Instead of the conventional ROI, new metrics, such as return on security investment (ROSI), are often created. Although these innovative statistics may provide an accurate estimate of the benefits of some security technologies, they may also produce undesirable results. In particular, there are organizations in which information security competes for its share of the risk management budget. In this scenario, different metrics for information security projects will probably generate buzz around security at the expense of other projects that might have an even bigger impact on the organization.
There seem to be parallels between poorly implemented management fads and poorly implemented information security projects. Could there be useful lessons here? The answer is almost certainly yes.
Take, for instance, the history of TQM. As you may recall, TQM was one of the great management fads of the 20th century, peaking in popularity somewhere between 1992 and 1996, at which point virtually every business proudly displayed its quality statement for its customers to see. Now, at least a decade later, talking about TQM with others who have seen it in action creates camaraderie similar to that shared by soldiers who undergo basic training together, with mandatory TQM training taking the place of forced marches in the dark carrying a heavy backpack. On the other hand, TQM did have some principles that seem obvious today, though they were not well received at the time. In particular, one of its claims was that it made more sense to do things correctly from the start - rather than fixing the mistakes after the fact.
W. Edwards Deming first applied the principles of TQM in Japan starting in 1946, but its principles were not accepted by many organizations in the U.S., which kept TQM from gaining significant traction for more than 30 years.
In 1979, Philip Crosbys book Quality is Free (Signet) finally presented a case for quality that was compelling enough to be taken seriously. His book sold more than 2 million copies and was probably the turning point for TQM. One of Crosbys arguments was that the cost of poor quality was one of the most relevant metrics to consider, and that if the cost of poor quality was properly measured, it would become apparent that higher quality was essentially free. Before the publication of Quality is Free, many people were skeptical of the value of the higher costs that came with higher quality; after the publication of the book, the consensus changed to accept that the costs of low quality were real and needed to be taken seriously.
Security and Quality
Is information security free in the same sense that quality is free? If we measure the cost of poor information security, will we find that it is actually better to invest in information security than to incur the costs that come with poor security? Answering this question is difficult because the cost of lax information security is difficult to measure. It is easy to quantify the costs of repairing defects that occur in the manufacturing of an automobile, for example, but it is much more difficult to quantify the cost of security breaches that occur because of an inadequate focus on information security. In the case of manufacturing, you have the very real costs of labor and materials that are easy to measure, but in the case of information security, it is very difficult to quantify the value of lost or compromised data.
On the other hand, both quality and security are intangibles. Perhaps Crosbys insight (i.e., the cost of poor quality is a relevant metric) can help us measure the cost of information security. More specifically, perhaps the cost of poor security is a metric worth serious consideration.
The costs of quality can be divided into three general categories: the cost of prevention, the cost of detection and the cost of nonconformance. When these costs are totaled, we get a good idea of the overall cost of quality. By comparing this cost to the benefits of higher quality, we can get an idea of the ROI from implementing a quality program. If you cannot demonstrate an adequate ROI this way, even the most dedicated quality professionals would not recommend that you implement such a program. We may be able to use a similar approach to quantifying the cost of information security, and if the costs of a security program cannot be justified in this way, it is probably not worth implementing.
In the context of information security, the cost of prevention includes the direct costs of deploying and supporting information security technologies as well as the cost of developing and administering the associated policies and procedures. These costs are relatively constant and can be easily budgeted. The TCO may be the right way to quantify the cost of prevention, but TCO estimates are often based on indirect costs that are difficult or impossible to accurately quantify. It is likely that the cost of prevention is a relatively large fraction of the typical total costs of information security, although they may be a low fraction of the possible costs. If you have no data breaches, then most of your costs will be from prevention; if you have a data breach, then most of your costs will be due to nonconformance. But if you have an adequate investment in information security, then you can significantly reduce the expected costs of nonconformance, which can be extremely expensive.
The cost of detection includes the costs of audits and may include the TCO of some information security technologies, like the cost associated with operating intrusion detection or intrusion prevention technology. It is also likely that these costs make up a relatively small fraction of the total costs of information security, but they are certainly necessary.
The cost of nonconformance includes the costs of failures in the prevention and detection processes, and it is probably here that the bulk of the costs of lax security can make themselves felt. If full-disk encryption is not used on laptop computers, for example, it is extremely likely that the data on at least one of them will be compromised over a one-year period. This can lead to extremely high costs of notifying customers whose data might have been compromised or dealing with a security breach.
So adding the costs of prevention, detection and nonconformance may be a useful framework for information security as well as quality and may provide a good way to estimate the cost of security. And just like looking at quality from this perspective provided a good basis for justifying investments in quality programs, this approach may provide a good way to justify investments in information security. On the other hand, it may also show that some security investments are not worth making. Do not be surprised if this turns out to be the case in some situations, and be prepared to accept the fact that some security programs do not deserve your time or money. Security may not be free, but security that deserves to be implemented is.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access