New study models security costs to show how variables can affect the risk to ROI equation over time.
Security teams could get a whole lot more bang for their buck if CISOs spent their budgets more strategically. A recent study by RAND Corporation pinpointed a number of areas that IT security can adjust to reduce the overall cost of managing risk in the enterprise.
Based on months of research and interviews of CISOs at over 1,000 organizations by RAND experts, the report lays out a framework that it claims is the first of its kind to chart the holistic costs of managing risk, factoring in not just the cost and probability of potential breaches and incidents, but also costs of defense.
The framework is based on 27 variables that RAND researchers could quantitatively prove influence the cost to an organization across a 10-year period. These include things like organizational characteristics, security program decisions and investments, as well as changes in the technology ecosystem.
According to RAND researchers, costs across the next decade are on track to rise 38 percent over the next decade for most organizations. If organizations can tweak their spending in critical areas, they may well be able to reduce that rate considerably.
“The security industry has struggled to understand the dynamics that influence the true cost of security risks to business,” says Sherry Ryan, chief information security officer for Juniper. “What’s clear is that in order for organizations to turn the table on attackers, they need to orient their thinking and investments toward managing risks in addition to threats.”
One consideration that organizations particularly need to be mindful of is one-to-one cost transference from risk to cost of defense. At the moment, one-third of reduced losses from mitigated risks is offset by increased costs of tools used to carry this out, both in acquisition of the tool, as well as an “Implicit reduction in the value of networking,” according to the report.
Clearly, some variables can produce better cost avoidance results than others. Within the study, some key highlights bubbled to the surface. The following are three of the top findings that should impact the way organizations decide to allocate their security spend.
Software Vulnerabilities are Expensive
Make no bones about it, software flaws are expensive. When they developed the heuristic model of cyber security, RAND researchers found that when organizations are able to reduce the frequency of software vulnerabilities in half, they can cut the overall cost of cybersecurity by a whopping 25 percent.
“There need to be better mechanisms to convey the interests that organizations have in the quality of code to those responsible for getting the code into products,” RAND’s researchers wrote.
Beware the Half Life
According to RAND researchers, the cat-and-mouse game between security researchers and advanced attackers yields a sort of half-life of effectiveness for many types of detection-based security technology. Research showed that technologies that depended on things like anomaly detection, signature detection, and sandboxing tend to show effectiveness decreases of 65 percent over the course of a decade due to attacker countermeasures designed to circumvent them.
This reduction in effectiveness increases cost by 16.2 percent over the course of a decade.
Researchers explained that technologies focused on improving overall security hygiene and reduced risk exposure tend to be less prone to this half-life phenomenon. This includes things like network access control, firewall policy enforcement, network segregation, and patch management.
“As defenses are installed, organizations must realize they are dealing with a thinking adversary and that measures installed to thwart hackers tend to induce countermeasures as hackers probe for ways around or through new defenses,” the report said. “This tit-for-tat exchange will eventually drive measures toward increasing expense, additional complexity, and, arguably, less reliability. Corporations should think about installing measures of the sort that are less likely to attract countermeasures.”
Invest in Workforce
Meanwhile, the research done in conjunction with the report proves out something security experts have been saying for years—people are a key component in the recipe for security success, right alongside processes and technology. RAND reports that companies with the most effective security staff can cut the cost of cybersecurity by 19 percent in the first year and 28 percent by the 10th year that the model runs.
This shows an interesting dichotomy with the previous point about technological half-life, as RAND shows that even as hardware value decreases, good security analysts get better over time.
“With more cybersecurity employees, organizations can be more proactive in identifying potential incidents by putting people to work on log and event tracking, as well as on developing strategy and architecture for future systems,” RAND’s researchers said.