Spend Less, Secure More

Companies that better target their security spending actually spend less and have more effective security programs

In light of recent highly publicized data thefts, it may seem counterintuitive to suggest that organizations with the most effective information security programs currently spend less—not more—than other companies to secure their IT infrastructures.

Yet new research from Boston-based Aberdeen Group shows companies that better target their security spending actually spend less and have more effective security programs.

According to Jim Hurley, the vice president of risk, security, and compliance at Aberdeen, security glitches cost the average company 7.7 percent of its annual revenues. The best-performing companies, however, fare much better, only losing 1.4 percent of annual revenues to security problems. Contrast that to so-called security program laggards, who lose 8.4 percent of annual revenues.

Only one quarter of companies perform at best-in-class levels. According to Aberdeen, 78 percent of all organizations say they are trying to do better, and cite Sarbanes-Oxley as their primary motivation. By the end of 2005, the analyst firm expects 92 percent of companies will be actively trying to improve their security programs.

Many organizations, however, just throw money at their security problems. Aberdeen says one in three companies doesn't track its annual security spending, and another one in three tracks it inconsistently.

Many organizations also throw point products at perceived problems, deploying technology without first evaluating business needs and improving business processes. To spend their finite budgets more effectively, says Hurley, “companies must determine which strategic action, business capability, or enabling technology is right for their situation.”

Because many companies aren’t doing that, “Aberdeen conservatively estimates that industry is missing out on billions of dollars in potential savings, sales, and profits each year through inefficient management of security spending,” he says.

It's no surprise, then, that “although almost all companies state that their strategic action is focused on avoiding, preventing, and containing Internet security threats, not all firms are achieving the same results,” Hurley observes. “In fact, companies with poorer performance are actually spending more on security than best-in-class companies.”

Who Needs To Know?

To spend more effectively, Hurley suggests a company start by focusing on that high-risk but high-return item: sensitive corporate information. Notably, identify the types of data your organization uses and the potential damage from its disclosure. Then study the business processes in place to ensure that information’s safety, followed by the technology used to secure the data.

Also, think like an attacker. What are the most effective ways of compromising data, whether through physical or electronic means? Finally, analyze all current controls—a problem may already exist—and target spending to improve these controls, and monitor and test controls continuously.

This approach makes for more-effective security, and also satisfies regulators. “It is the combination of internal controls for business processes and enabling technologies that are being examined by auditors,” notes Hurley.

Of course, ensuring the security of high-risk data seems like common sense. Recent events, however, suggest many organizations haven’t identified which information is most at risk, or assured the integrity of business processes meant to safeguard it.

Notably, attackers were able to open accounts with ChoicePoint and purchase information on about 145,000 consumers. Because ChoicePoint’s client-verification process didn’t discover the roughly 50 fake companies—obviously a red flag when it comes to illicit intentions—used to open accounts, criminals received normal access, and no one knew. That would be the end of the story, except that a law enforcement agency was investigating identity-theft crimes and traced information used by attackers back to ChoicePoint.

The story is similar at LexisNexis, which now reports that the personal information of over 300,000 U.S. citizens may have been stolen from its subsidiary, Seisint.

All told, LexisNexis says stolen passwords were used to access its databases 59 times, yet LexisNexis’s internal security controls didn’t spot the problem. “We first discovered these incidents at Seisint in February when a LexisNexis integration team became aware of some billing irregularities and unusual usage patterns with several customer accounts,” said Norman Wilcox, the chief office for privacy, industry, and regulatory affairs for LexisNexis, in recent California State Senate testimony. “At that point we contacted the U.S. Secret Service.”

As Aberdeen's research suggests, with effective spending on appropriate security controls layered over well-thought-out business processes, it doesn’t have to come to that.

Related Articles:

From One Security Nightmare To Another
http://www.esj.com/security/article.aspx?EditorialsID=1339

Social Engineering Bypasses Information Security Controls
http://esj.com/enterprise/article.aspx?EditorialsID=1308

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.