Military Strategy & Security Economics: Finding More Bank for the Security Buck
At this point all readers of Transaction World Magazine are aware of the data compromise trends. In spite of increased enforcement and compliance with the PCI DSS, companies continue to be victimized at an alarming rate. In the face of increasingly frequent and successful attacks, despite the focus on security and compliance, companies are often left wondering how to protect their data. Understanding the economics of security can help.
Last year, the U.S. Government, along with The Ponemon Institute, released an eye-opening study1 that quantified security spending in various industries and correlated the estimated security posture based upon the current spending. They then estimated the required increase in spending to achieve 99% “security.” While the findings make for interesting and often heated debates, there is little disputing that the findings are the first real attempt at quantitatively ascribing a cost to a measure of security. In short, the study allows security practitioners, as well as CFOs and risk analysts, to state with some degree of confidence that if they spend $1 on security, they will purchase X% of security for their organization. If they increase their spending X% their security posture will be increased some fraction of X%.
A review of the study shows that financial services organizations are achieving 68.67% security with an average of $22 million spent annually. To achieve 80.33%, the company must increase spending by an additional $44 million for a total amount of $66 million per year. For every 1% increase beyond the 68.67%, the company must allocate an additional $3.77 million in security. This demonstrates the inherent inefficiencies of the current network-centric security model. Quite simply, something must change as companies cannot increase security spending 800%. In one sense the accuracy of the numbers is irrelevant. What is relevant is the understanding that companies would need to increase their spending to a point at which it would be cost-prohibitive to continue business. This alone should be enough to compel companies to look more closely at economic efficiencies.
Efficiency can be defined as: “accomplishment of or ability to accomplish a job with a minimum expenditure of time and effort.”2 In the context of security, efficiency would refer to achieving the maximum level of security with the lowest possible cost, time and effort. When determining cost we should include in this calculation other resources that can be quantified - such as employee time. It goes without saying that goal of any CIO, CFO or CSO should be to maximize their security expenditures and achieve the greatest possible level of security at the lowest possible cost. While easy to conceptualize, efficiently applying human resources in areas as complex as security requires more than a strict mathematical model or bean counter’s mentality. This subject has been studied, modeled and debated for years within the military community.
Military and combat efficiency has been studied for millennia. In 1050 BC the Chinese warrior LouTao said, “The strength of an army depends less upon numbers than upon efficiency.” In his famous 19th Century book titled On War, Carl Von Clausewitz writes that a general principle to warfare is to: “Make the best use of the few means at our disposal.” Experience with warfare has taught that efficiency alone is insufficient to describe the characteristics needed to achieve combat objectives or evaluate the capabilities of an adversary. It is suggested that using the term proficiency may be more appropriate. Proficiency is a term used to describe the level a person or group has reached in mastering the complex art of war (or in our case security.) The use of the word proficient implies a level of skill as opposed to a difference in machine-like characteristics.3 It should be noted that proficiency is closely correlated to efficiency. Consider the following information security example:
A CSO is evaluating which of two firewall administrators to keep as his budget requires that he reduce head count. Admin #1 is more proficient at managing a firewall and therefore 1) makes fewer mistakes and 2) can complete tasks 25% more quickly. In this scenario, it is the proficiency that creates the efficiency. Additionally, the proficiency of Admin #1 provides for greater effectiveness due to the reduced number of mistakes.
At a more strategic level, security can also borrow from the military the concept of “force multiplication.” While often surprising to some, combat is often reduced to a numbers game where generals use models to calculate the statistical probability of success against a foe given the variables. Although impersonal and certainly indelicate, it is simply how warfare works at a strategic level. There is a common calculation known as the multiple of 3 in which it is understood that, all things being equal, to successfully attack an enemy in a defensive position 3x as many attackers as defenders are required. So what is a general to do when the numbers don’t add up? This is where force multipliers come into effect.
In April 2012 USAToday published a story that describes how snipers are changing warfare today. During Vietnam the average number of rounds expended per “kill” was over 50,000. Snipers, however, averaged 1.3 rounds per kill. The ability of a single combatant to have such an impact on the battlefield is simply more economically efficient for the commander. This provides a ‘force multiplication’ effect as a single combatant has a disproportionate impact on the battlefield thus creating efficiencies. Quite simply, that one sniper is worth more, economically speaking, than one conventional infantryman. The idea is not limited to snipers. Again, while an indelicate example, it highlights the point-of-force multiplication well.
Much like generals, companies are looking for ways to get more proverbial ‘bang for their buck’ in security. The Ponemon study demonstrates that today’s ‘conventional’ security approaches are simply too inefficient to be effective. In much the same way that generals and defense specialists are looking at ways to accomplish their objectives in a more efficient manner, (fewer dollars, fewer lives lost,) companies should be pursuing the same goal. If $1 can buy x of conventional security and the goal is to achieve 8X of security, then there are two basic approaches to achieve the goal. First, the company can increase their security spending 800%. This is an inefficient and unrealistic approach. The second approach is to find ‘multipliers’ that will provide increased security for the same $1 thus allowing companies to use their resources more efficiently. If tools, techniques and technology can be found that offer a 100% increase in effectiveness for the same 1$, then companies only have to increase spending by 4x to achieve their objectives. How do these concepts apply data security?
Quite simply, force multipliers can be considered any technology or approach that, when added to the existing security infrastructure, provide a disproportionate increase in the level of effort required for an attacker to achieve their goal. Advanced authentication technologies come to mind when discussing force multipliers. It is suggested that technologies that provide security force multiplication include strong encryption (with strong key management,) EMV and point-to-point encryption technologies. Every dollar spent on an EMV implementation will provide greater security than the same dollar being spent on conventional security approaches.
Security efficiency can refer to the use of services or changes in operations that allow a company to achieve equivalent security for a lower price. For many companies using external hosting providers that specialize in security will allow the company to leverage a broader range of expertise and technologies for a lower annual cost. If the company spends at their existing rate yet sees a 50% return on their investment, it is reasonable to believe that they will have a correlated increase in their security posture. A good example can be seen in the popular concept of ‘segmentation’ within the payment card industry. To bring an entire enterprise-level network into compliance is usually cost-prohibitive. By segmenting the cardholder environment, the cost to bring the small environment into compliance and the cost of maintaining the security is significantly less.
In summary, the Ponemon study highlighted what those working in the payment card industry have known for a long, long time. That the existing security models are simply too inefficient to allow companies to adequately protect their sensitive data. Companies cannot and will not increase their security spending 800% and certainly not 1200%. One method to improve security is to borrow from the military and look for force multipliers and security efficiencies. By using the same dollar with greater effect, companies can achieve a great level of security at a lower cost.
Chris Mark is the founder and principal consultant of Mark Consulting Group, Inc. He is a recognized payment card security, risk management and information assurance expert. He holds the CISSP, and CIPP professional certifications, numerous technical certifications, and has an MBA and BA degrees. You can read more at: www.MarkConsultingGroup.com or read his blog: www.GlobalRiskInfo.com.