Login  |  Register  |  Contact

The Business Justification For Data Security

You've probably noticed that we've been a little quieter than usual here on the blog. After blasting out our series on Building a Web Application Security Program, we haven't been putting up much original content.

That's because we've been working on one of our tougher projects over the past 2 weeks. Adrian and I have both been involved with data security (information-centric) security since long before we met. I was the first analyst to cover it over at Gartner, and Adrian spent many years as VP of Development and CTO in data security startups. A while back we started talking about models for justifying data security investments. Many of our clients struggle with the business case for data security, even though they know the intrinsic value. All too often they are asked to use ROI or other inappropriate models.

A few months ago one of our vendor clients asked if we were planning on any research in this area. We initially thought they wanted yet-another ROI model, but once we explained our positions they asked to sign up and license the content. Thus, in the very near future, we will be releasing a report (also distributed by SANS) on The Business Justification for Data Security. (For the record, I like the term information-centric better, but we have to acknowledge the reality that "data security" is more commonly used).

Normally we prefer to develop our content live on the blog, as with the application security series, but this was complex enough that we felt we needed to form a first draft of the complete model, then release it for public review. Starting today, we're going to release the core content of the report for public review as a series of posts. Rather than making you read the exhaustive report, we're reformatting and condensing the content (the report itself will be available for free, as always, in the near future). Even after we release the PDF we're open to input and intend to continuously revise the content over time.

The Business Justification Model

Today I'm just going to outline the core concepts and structure of the model. Our principle position is that you can't fully quantify the value of information; it changes too often, and doesn't always correlate to a measurable monetary amount. Sure, it's theoretically possible, but practically speaking we assume the first person to fully and accurately quantify the value of information will win the nobel prize.

Our model is built on the foundation that you quantify what you can, qualify the rest, and use a structured approach to combine those results into an overall business justification. 200901221427.jpg We purposely designed this as a business justification model, not a risk/loss model. Yes, we talk about risk, valuation, and loss, but only in the context of justifying security investments. That's very different from a full risk assessment/management model.

Our model follows four steps:

  1. Data Valuation: In this step you quantify and qualify the value of the data, accounting for changing business context (when you can). It's also where you rank the importance of data, so you know if you are investing in protecting the right things in the right order.
  2. Risk Estimation: We provide a model to combine qualitative and quantitative risk estimates. Again, since this is a business justification model, we show you how to do this in a pragmatic way designed to meet this goal, rather than bogging you down in near-impossible endless assessment cycles. We provide a starting list of data-security specific risk categories to focus on.
  3. Potential Loss Assessment: While it may seem counter-intuitive, we break potential losses from our risk estimate since a single kind of loss may map to multiple risk categories. Again, you'll see we combine the quantitative and qualitative. As with the risk categories, we also provide you with a starting list.
  4. Positive Benefits Evaluation: Many data security investments also contain positive benefits beyond just reducing risk/losses. Reduced TCO and lower audit costs are just two examples.

After walking through these steps we show how to match the potential security investment to these assessments and evaluate the potential benefits, which is the core of the business justification. A summarized result might look like:

- Investing in DLP content discovery (data at rest scanning) will reduce our PCI related audit costs by 15% by providing detailed, current reports of the location of all PCI data. This translates to $xx per annual audit. - Last year we lost 43 laptops, 27 of which contained sensitive information. Laptop full drive encryption for all mobile workers effectively eliminates this risk. Since Y tool also integrates with our systems management console and tells us exactly which systems are encrypted, this reduces our risk of an unencrypted laptop slipping through the gaps by 90%. - Our SOX auditor requires us to implement full monitoring of database administrators of financial applications within 2 fiscal quarters. We estimate this will cost us $X using native auditing, but the administrators will be able to modify the logs, and we will need Y man-hours per audit cycle to analyze logs and create the reports. Database Activity Monitoring costs %Y, which is more than native auditing, but by correlating the logs and providing the compliance reports it reduces the risk of a DBA modifying a log by Z%, and reduces our audit costs by 10%, which translates to a net potential gain of $ZZ. - Installation of DLP reduces the chance of protected data being placed on a USB drive by 60%, the chances of it being emailed outside the organization by 80%, and the chance an employee will upload it to their personal webmail account by 70%.

We'll be detailing more of the sections in the coming days, and releasing the full report early next month. But please let us know what you think of the overall structure. Also, if you want to take a look at a draft (and we know you) drop us a line...

We're really excited to get this out there. My favorite parts are where we debunk ROI and ALE.

—Rich

Posted at Thursday 22nd January 2009 7:44 am Filed under: business justificationdata securityinstructionalmanagementriskrisk managementsecurity management

Previous entry: Heartland Payment Systems Attempts To Hide Largest Data Breach In History Behind Inauguration | | Next entry: How Much Security Will You Tolerate?

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Interesting Information Security Bits for 01/23/20  on  01/23  at  12:12 AM

[...] They will be talking about it over the course of several blog posts and releasing the paper soon. The Business Justification For Data Security | securosis.com Tags: ( risk business justification [...]

By Friday Summary- January 23  on  01/23  at  01:57 AM

[...] Perhaps it is the contrarian in me, but my favorite post is The Business Justification for Data Security. There is a lot of information [...]

By Sharon Besser  on  01/24  at  12:33 PM

I wish that it was so simple as starting with understanding the value of the data. In my experience, this approach works when the LOB (or CIO/CSO, if they have the teeth and own the budget) understand that there is a risk that should be mitigated thus understanding the value of data (classification, identification etc) is a becoming a prerequisite prior to set the controls.

You might recall how in the early DLP days (starting at 2004) vendors used a "risk assessment"

Vontu: http://goliath.ecnext.com/coms2/gi_0199-235312/Vontu-Announces-New-Program-to.html
Reconnex: (I had to use Google’s cache: http://209.85.173.132/search?q=cache:LjBpdMIN3GsJ:www.reconnex.net/news_events/pr/pr_11.08.05C.php+reconnex+48+hour+risk+assessment&hl=en&ct=clnk&cd=1&gl=us
Or this gem: http://www.cardiovascularbusiness.com/index.php?option=com_articles&view=article&id=1008

I’‘m interested to learn if such process can work when there is no clear understanding of the key business drivers without the need to perform a "risk assessment"...

By jeff  on  01/25  at  12:34 PM

Hi

Maybe you should look at the Australian Standard , AS 4360, that will become an ISO Standard soon, for a RM Framework model.

NIST has also published a framework and methodology
Also, is this a generic model or specific to the private/commercial sector.

I think the key at the beginning is to have stakeholders specific to the organisation agree to the model that determines the method and thresholds to security classify information and the associated potential inherent impact

so how do you rate the resignation of a Government Dept Head or a Minister/Secretary in the public sector
compared to a slide in share price
loss of funds
loss of public trust
harm to a citizen

etc
etc

By Adrian Lane  on  01/26  at  12:51 AM

@Sharon - What drives the effort is not always clear.  A project, a problem, a belief something needs to be done. My belief is that any single person fails, and there will need to be several people in the organization that help gather information and estimates.
@Jeff - I have not seen the Australian standard.  Thanks for the reference.  I will check it out.

-Adrian

By The Business Justification For Data Security: Data  on  01/26  at  08:58 PM

[...] our first post we provided an overview of the model. Today we’re going to dig into the first step- data valuation. For the record, we’re [...]

Page 1 of 1 pages

Name:

Email:

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: