Recently I needed to purchase automobile insurance. To obtain a quote, the online insurer asked my age, where I lived, how much I drive and where, the year, make, and model of my cars, about my driving record, and how much coverage I wanted. Behind the scenes, they likely took these data points, applied them to some vehicle claim actuarial data, and presented me with a rate based upon MY effective overall risk score. The process made sense, the price was fair, and I ended up buying.
This got me thinking. What if instead the insurer had said, “We’ll give you the same coverage as everyone else who applied, add some protection for a new, obscure, scary-sounding road hazard, and bill you 15% over last year.” Without taking anything about at all about ME into account, it would seem that there was no real risk management involved in their decision-making. As a consumer, I would reject this offer. Clearly this makes zero sense. Ridiculous as this scenario sounds, isn’t this fairly similar to the process of creating information security budgets?
Gunnar Peterson explains it best, “Security budgets are often based on a combination of last year's spending, this year's threat(s) du jour, and "best" practices, i.e. what everyone else is doing. None of these help to address the main goal of information security which is to protect the assets of the business. The normal security budgeting process results in overspending (as a percentage) on network security, because that's how the budget grew organically starting from the 90s.”
I agree and I think this is precisely why we see so many organizations spending a larger percentage of their budgets protecting their networks and infrastructure, as opposed to their applications, where the largest chunk of IT dollars are invested. In Gunnar’s words, “...they are spending $10 to protect something worth $5, and in other cases they are spending a nickel to protect something worth $1,000. If you look at the numbers objectively, you see why it is out of control...” Worse still, this budget misallocation persists despite real-world data revealing where the real threats are (at the application layer, Verizon’s DBIR) and in stark contrast to the infosec pros’ own stated priorities.
A survey conducted by FishNet Security of IT pros and C-level executives from 450 Fortune 1000 companies found that: “45% say firewalls are their priority security purchase, followed by antivirus (39%), and authentication (31%) and anti-malware tools (31%)." The report goes on to say, "Nearly 70% [of those surveyed] say mobile computing is the biggest threat to security today, closely followed by social networks (68%), and cloud computing platforms (35%). Around 65% rank mobile computing the top threat in the next two years, and 62% say cloud computing will be the biggest threat, bumping social networks." This is pretty funny because Mobile, Social Networking, and Cloud attacks specifically bypass those firewall investments.
To resolve this spending conundrum, and begin closing the application security gap, I see two option:
1) Information security professionals must align their investments with business priorities, which is what Gunnar wisely advocates. He says, “the biggest line item in [non-security] spending should match the biggest line item in security.” In almost every enterprise, this would mean redirecting network security dollars to application security. Even if this approach makes perfect sense, there is no question budget re-allocation would meet fierce opposition. Nothing less than a paradigm shift in thinking, culture and regulatory design would allow this to come to pass. Unfortunately, I think it is nearly impossible for the masses.
2) Information security professionals would need to convince management to approve new additional budget dollars specifically for application security, without reducing other budgets. Ideally, these application security investments could be justified directly or indirectly to increased revenue or reduced costs. Ask yourself, how might application security investments contribute to new customer acquisition? Can the business increase its differentiation? Obviously this won’t solve the spending inefficiency conundrum, but we might be able to gain ground and close the gap using this approach. To do so we need more case studies and benchmarks to demonstrate how other organizations are investing.
Fortunately, from an industry perspective, these choices are NOT mutually exclusive. Each organization will of course have to find its own path. In a future post I'll list out ways I've seen organizations justify application security budgets. In the meantime, if you have ways that you've found successful, comment below!