Corporate America is awash with data breaches and other security lapses often because CISOs and other IT pros have trouble communicating the need for more security investments to the CEO and the C-suite. CISOs tend to talk about threats and the number of block attacks, not in terms of the bottom line.
Policy think-tank RAND has developed a model to help CISOs communicate IT security in terms of risks and return on investment. The new model presents a metric called reduction of risk on investment, which focuses on the total cost of security risk and how those risks can be managed cost-effectively.
The metric is about "how can I reduce my risk given X investment and given Y profile of my organization, which is a complex profile because it involves direct and indirect costs related to people, process, technology, culture, BYOD, IoT and everything else," Rebecca Lawson, senior director of product marketing at Juniper Networks, told FierceITSecurity.
The model defines risk as the cost to companies of defensive measures – security tools, training, air-gaping networks and BYOD management – plus the cost of a breach based on the value of information at risk, times the possibility of a breach, with 1.0 being equal to 100 percent.
"The model provides a systematic starting point to help CISOs understand the different decisions they can make to protect their organizations and better engage and garner support from the broader C-suite," the report explained. The report, sponsored by network security firm Juniper Networks, details the model developed by RAND.
RAND estimated that the cost of managing cybersecurity risks will increase 38 percent over the next 10 years. The report identified five main factors influencing those costs – suboptimal security investment, ability of attackers to develop countermeasures, investment in security training of the workforce, the Internet of Things explosion and increasing software vulnerabilities.
In terms of security investment, RAND noted that companies often don't employ the best strategy for their security investments. For example, small and medium-sized companies benefit most from investments in basic security tools and policies. On the other hand, large organizations with highly sensitive information need investments in the full range of advanced technologies and policies.
The ability of attackers to develop countermeasures means that many security tools have short half-lives and lose value quickly. Products that can be thwarted by countermeasures include anomaly and signature detection, sandboxing malware and anti-phishing training.
Investing in security training of workers, while an upfront cost, can reduce costs over time. RAND estimated that companies that have a well-trained and effective staff can reduce their cost of security by 19 percent in the first year and 28 percent in 10 years.
The report advised companies to get out in front of the Internet of Things and invest in security technologies and device management in a smart way. Those firms that don't could increase the losses from cyberattacks by 30 percent over 10 years.
RAND warned that the number of software vulnerabilities is expected to increase with the introduction of IoT into the enterprise. Companies should demand better security testing and patching from their software providers, and regular updates and patches to the software they already have deployed.
"This is a brave new world for all of our customers, thinking ... about what is going on at a deeper level" in terms of IT security, Lawson concluded.
Arabic
French
Spanish
Portuguese
Deutsch
Turkish
Dutch
Italiano
Russian
Romaian
Portuguese (Brazil)
Greek