The attitude that IT security risk shouldn’t be governed by traditional measures of cost and benefit is ludicrous.
At RSA a few years back, I was in a presentation by a CISO of a major company who asserted that he would spend “whatever it takes” to secure his company. This kind of rhetoric isn’t uncommon, especially with those organizations that don’t have any budget. What really surprised me though was that a senior IT security risk management professional of a large company would say such a thing.
I am pretty sure he didn’t actually mean he would spend, say, $10 billion on security. But the attitude that tech risk management shouldn’t be governed by traditional measures of cost and benefit is ludicrous, despite the fact that the “whatever it takes” approach plays well to security professionals. After all, we have dedicated our careers to protecting information and computer assets, and we see the potential for damaging people’s lives when personal information gets leaked.
The problem is that in order for us to be taken seriously within our organizations, we need to eliminate the emotional element from our pronouncements and policies. Instead, we should focus on providingappropriate security in appropriate places. (Even writing this makes me feel callous and cold, but that is the economic reality of business.)
Does that mean we should simply advocate for “appropriate” security measures and leave it at that? Hardly. It’s way too common for individuals to have varying opinions about what appropriate actually means. A better approach is to look to history and the laws that have set precedents for determining when organizations are “negligent.”
For example, back in 1932 Judge Learned Hand decided in US v TJ Hooper that “…a whole calling may have unduly lagged in the adoption of new and available devices.” He went on to say that “…there are precautions so imperative that even their universal disregard will not excuse their omission.” This opinion may have opened up the floodgates on negligence because it implies an unattainable level of foresight with damages determined in hindsight.
Luckily, Judge Hand realized this weakness (albeit 15 years later) and followed up with a more realistic formula for determining negligence: “…if the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B less than PL.” (US v. Carroll Towing, 1947). If that formula for negligence looks familiar, it should — it is a manifestation of the formula we use to measure risk.
In short, Judge Hand ascribes a cost-benefit equation to determining negligence, effectively asserting that we should spend only as much as the consequences might cost, discounted by the likelihood of a negative event within the scope of circumstances.
So, instead of “whatever it takes,” IT security risk management professionals should be spending “as much as necessary, not to exceed the value of the potential losses.” Many tech risk pros intuitively understand this. But others are so caught up in the operational reality of putting out daily fires that they don’t get the opportunity to put it into practice.
That’s a crucial mistake if you want to be taken seriously internally when it comes to managing IT security.