What would you spend to lower the TCO of a breach?

Mon, 04 Nov 2013 – Chris Gardner, Vice President North America Sales

“The best ROI is to buy nothing and then never use it.”  Anonymous Financial Consultant
Ever since network security became important to the Enterprise, Request for Proposals have always asked the same questions: “What is the expected Total Cost of Ownership (TCO)?” Or worse, “What is the Return on investment (ROI) of your solution?”
While these are excellent questions for Business applications and network infrastructure, they are precarious questions to answer if the RFP is for security solutions.  Here’s why: any answer that tries to tease out a lower cost of “ownership” or derives a financial return from a security solution is unsupportable, regardless of how rosy the glasses or how deep in the hypothetical weeds we go. The absolute best result one can have from a security initiative is to buy nothing and get lucky.  If no breach occurs, then you’re in the clear.  If there is a breach, but it didn’t result in financial losses or damaged reputation, or didn’t impact resources (other than sunk costs), then all is well.
Do you feel lucky, well do you?
Based on recent history, it’s not too hard to dismiss the notion that you are immune and therefore require no protection.  No one is and no one does. In fact, 58 percent of organizations have more than 25 malware incidents a month, while another 20 percent have no idea how many incidents they are dealing with. And according to the 2012 Norton Cybercrime Report, there are nearly 18 cybercrime victims every second.
The Ponemon Institute released its 2013 Cost of Breach Study finding the average cost of a data breach is $136 per record.[i] A report by Experian and Ponemon Institute, “Measuring Cyber Security as a Business Risk: Cyber Insurance in the Digital Age” reported that “Of the 56 percent that had breaches, they reported an average cost of these incidents as $9.4 million in the last 24 months. However, these costs are only a fraction of the average maximum financial exposure of $163 million that the companies surveyed (breached or not) believe they could suffer due to cyber incidents.”[ii]
How much and what kind of protection is right for your business to protect against these threats is a legitimate debate that requires significant consideration.  
From a network security perspective, these questions are best answered from a risk assessment angle.  A common enough framework has been in place for years, yet quantifying an Enterprise’s “risk profile” or “risk appetite” still remains elusive. It is also a moving target.  Fifteen years ago, IT departments treated the idea of securing the desktop with disdain. Isolate and reimage was the defacto modus operandi (unless it was an executive’s desktop). The advent of denial of service (DoS) and Distributed DoS attacks changed this attitude for desktops inside the network.  A few years later, the arrival of BotNets changed things for all desktops.
Still, a granular measure to assess the impact of breaches that might occur based on acceptable risk levels is not often calculated.  Instead, potential attacks are given a binary measure.  “DDoS attacks are catastrophically bad.  Great cost is warranted to protect against DDoS.”  Therefore, as much as possible, eliminate DDoS attacks and hope that lesser, yet still impactful security issues, will be eliminated as a byproduct.
This takes me back to my original conundrum: How to define TCO of a security product.  Or, if this is unrealistic, what should be measured? What I’ve learned from experts I’ve talked to about this issue is that risk assessment provides an important benchmark.  Determining costs associated with breaches, not just the likelihood of breaches, however is key.  This in turn begs the question, “What’s the TCO of a breach?”
While this may seem like semantic arguments; Cost of a Breach vs. TCO of a breach, there are big implications.  Cost of a breach assumes that if the costs are too high you may do what’s needed to avoid it. This includes not implementing business improvements if the risks associated with the improvement are too high.
TCO looks at it the other way.  You own the breach.  It’s bought and paid for.  Now consider how to lower the costs associated with that breach.  Let’s return to my DDoS example and accept the idea that there will be attacks from devices outside the most secure areas of your network. Then considering how to lower the impact of attacks from those devices without impacting the productivity, or minimally impacting the productivity, can turn the tables on traditional risk management.
This is more important today than in the past because more than ever business processes are occurring from devices outside the secured network. Inevitably, these devices, which provide a gateway to network breaches, are less and less under your control.  Yet, to allow these devices access to data on your network provides a material business advantage.
Therefore, I suggest that considering how to lower the TCO of a Breach is a valuable exercise. I also believe it is a good exercise to get management comfortable with the idea of living with exploited devices and still making them useful business tools.  At the least it is an interesting, and dare I say, fun team building exercise.