In survival of the fittest: what happens when everyone is unfit?

Well the truth is, it’s probably a trick question anyway as all of the above are correct – at least taken at an individual organization level! Someone will no doubt be increasing spending, for others spending will remain flat and others [perhaps the majority] may well be cutting spending.

 

And that brings out a significant point: security investment is about treating risk and whether it’s at a personal level or on behalf of an organization. We all invest differently to stop something bad happening or to enable something good to take place, and we make investments based on our unique appetite for risk: the risk we’re prepared to accept versus the risk we need to mitigate. And whether we’re prepared to invest or not should have no relevance to what other people are spending and whether it’s going up or down!

 

As an example - If I’m holidaying to Bangkok I should decide whether to take travel insurance or not based on my personal risk appetite and not be influenced by whether the market for spending on travel insurance is going up or down. Same goes for a companies security services, match your investment spending to the risk and organizational appetite!

 

Alas, harsh realities of budgeting and cut-backs mean decisions around security investments are increasingly hard to justify amid the current economic crisis, this is placing more pressure on already beleaguered managers and staff. As a consequence, numerous investment models such as RoI and TCO are being trotted out to justify return on spending and projects; this is not a bad thing at any time in the financial cycle let alone in a down-turn but I would argue a good security team should know what investments in security they have made and why they have brought benefit to the business and further more, what’s required for the future. But the challenge is the level of scrutiny today is increasing and the squeeze on cash within some organizations is eye-wateringly tight, amidst this squeeze I’ve been interested to see the rise of security benchmarking being offered by numerous vendors as a way of helping justify spending. But beware; the security benchmarking road is one that should be trodden with great care!

 

The benchmarking premise is quiet simple – someone performs a series of tests and compares (or benchmarks) your score against similar organizations or the industry vertical you operate in and tells you how you compare in contrast. All very useful, but it’s a statistic that if misused can have dire consequences. Charles Darwin argued for the "survival of the fittest" and the evolution of life, you all know this I’m sure - from beginning to end natural selection ensures the fittest survive and prosper and the weaker die out.

 

So what does benchmarking tell a CISO? Does it mean your security is “fitter” than your competitors or organizations similar to yours? does it decide investment decisions? does it drive different behavior within the organization and does it mean your organization will survive the threats while others won’t? Of course the answer is no, not on its own it doesn't!

 

Well lets be balanced here – benchmarking has a place. At BT we have benchmarking in the mix of tools that our security consultants use, and used properly it provides intelligence to aid decision making but it’s nothing better than a data point or statistic and it must be used correctly. I’ll go back to my Bangkok holiday analogy; its no good me benchmarking all the other passengers on my flight to decide whether I should take out travel insurance or not – even if everyone else is traveling without insurance I still need to decide the risks I face, what the probability and impact is, and then what my appetite is for the risk.

 

Because here’s the problem with benchmarking even when it is used correctly – if it is survival of the fittest, what happens when everyone else is unfit such that your benchmarking report tells you your security posture is better than your competitors and better than the industry norm? When everyone else is “unfit” you have a systemic problem and if you believe your benchmarking report you could be led in to a false feeling of security and believe that you’re okay! Can’t happen? well look at the financial services sector – speak to any risk manager involved in managing risks associated with mortgage backed derivates, the returns were too high and everyone else was doing it such that risky decisions were made and risk control procedures were dumbed down to support the desired activity.

 

So while times are tough and investment decisions are increasingly hard to push through as organizations struggle with dire economic outlooks and uncertain futures, don’t be fooled into a false sense of security through in appropriate use of investment tools and techniques, instead link security investments strongly to the objectives of the business and identify the impacts mitigation strategies can have. Understand the changing business climate and both the opportunities and threats that it brings; identify your organizations’ unique risks and how they are changing then evolve your security posture in response to that - and don’t leave survival to chance!