CISOs Unable to Quantify Security Controls

Monday, July 12, 2010

Joe Morrissey


This spring MicroSoft, RSA, and EMC commissioned Forrester research to get a handle on the value of information portfolios, and the mix of those portfolios, i.e. custodial (customer, medical, payment card, and identity indicators) and corporate secrets (Product plans, earning forecasts, know how, intellectual property, and trade secrets).

Some very interesting reading emerges.

The study centered on 305 in depth surveys with IT decision makers, and found that secrets form roughly 66% of the firms “information portfolio” – proprietary knowledge and secrets are usually considered twice the value of custodial data.

As a result these “secrets” are clearly identified as real money making, lucrative targets for malicious theft. We’ve said it before and we’ll say it again – A $400 laptop is not worth $400.

Billy Hawkes – The Irish Data Protection Commisioner

To quote Billy Hawkes The Irish Data Protection commissioner (DPC) “the extent of the damage a laptop theft can create is limitless – no longer can the value of  the laptop be based on hardware costs, the cost of a stolen laptop could be a whole lot more.”

Where’s the action?

Given that trading in corporate secrets was found to be bigger and more lucrative than ever, companies strive to maintain competitive advantage by increasing their IP, and securing the IP already in their domain. This is broadly in line with what was found in the Forrester research, namely that 80% of security budgets are spent on 2 priorities.

Priority 1 – Compliance.

Priority 2  - Securing sensitive information.

A twist to the tale!

Here’s an interesting twist, whilst secrets comprise 62% of the overall information portfolio value, compliance comprises just 38% of the portfolio “value” – this suggests that compliance consumes the greater proportion of sanctioned budgets when looked at from the “value” perspective.

Isn’t it ironic – don’t ya think?

The irony is that whilst firms focus on preventing accidents, and data “spills” malicious theft is where the action and the money is. Data security incidents related to accidental losses and mistakes are unfortunately common, but by comparison with malicious theft cause little quantifiable direct damage, (prior to the DPC or ICO hearing about it, after which fines are commonplace, sometimes huge), but still CIO’s value lost know how from malicious theft even greater.

Respective value

The study found that the more valuable a firms information is – the more incidents or malicious theft attempts it will have. The portfolio value of the information managed by the top quartile of enterprises was twenty (20) times higher than the bottom quartile.

These high value enterprises had four times as many security incidents as low value firms – High value firms are not sufficiently protecting data from theft and abuse by third parties, having six times the amount of security incidents due to outside parties than low value firms. Maliciously identified as a target, and maliciously executed on through laptop or PC / Media theft.

Alarm Bells Please

The single most alarming fact that fell out of the Forrester Study was that of the 305 CISO’s (Chief information security officers) surveyed, none can quantify or say that they know – how effective their security controls actually are. Regardless of information, asset value, spending, or the number of incidents observed – nearly every company rated their controls to be equally effective – despite the number and costs varying widely.

It was found that even enterprises with a high number of incidents are still likely to imagine their programs are “very effective”

So –  How much does this all boil down to in money terms?

This post tries to draw comparisons between two types of data 1 – Corporate secret data, and 2 – Custodial data held by a corporation distinct to support it’s business processes.

For Secret data, only the corporations can assign a euro or dollar value to it, and again this is unfortunately often only done after it has been lost , but it is clear it is a growing lucrative target for theft and trading.

For Custodial data, also a growing lucrative target especially in respect of identity theft, it is policed on behalf of the subject matters interest by the DPC in Eire, the ICO in the UK, and agencies under and including the supreme court in the U.S (a bit different that side of the pond) but to put a $ value on it’s potential impact. – The most expensive data breech event in the study cost a company almost $31 million to resolve, the least expensive breech was $750,000.


Forrester concludes that most enterprises do not actually know whether their data security programs work or not. A frightening proposition in todays competitive, and policed landscape.

Cross-posted from The Ventiblog

Possibly Related Articles:
Enterprise Security
Security Management
Post Rating I Like this!
drew simonis I'm not surprised by the single most alarming fact, though it is indeed alarming. Embarassing may be a better term, really.

I say this because the fact that we as security leaders cannot even begin to understand the real impact our actions have is one of the most significant issues facing our profession, and one we must strive to solve.

Is the article writer or anyone else aware of any lines of work in this space that are yielding positive results? Is anyone interested in trying to solve the problem? I know for sure that I am.
Joe Morrissey Drew, I agree - embarrassing is indeed a better term.

Part of the problem I believe is that we are swamped with feature rich tools, that make perfect sense to the technically adept - are sold and bought based on feature set, as opposed to benefit set to end users. This can bring the consequence, that end users seek to find ways to bypass or circumvent them in order to remain productive as required in today's pressurised workplace.

A lot of people obviously think they are doing a fantastic job - almost a head in the sand approach - even the forrester figure point's it out - spend is over biased on being "compliant" - "we are compliant" - so what - hackers don't give a damn if you are compliant or not - only how long will it take them to find the vulnerabilities, either manifesting itself internally or externally.

Drew asked if anyone was aware of work in this space yielding good results? It's hard to find Drew, but it's a space we are active in and interested also.
Apologies it took me 4 days to respond to your comment.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.