Thursday, November 12, 2009

2009 Conferences, Structured Threats and Asymmetric Conflict

(Posted to the NAISG list in August 2009)

 Today I find myself thinking about the Mandiant talk at SANS Boston last night.

In summary, many retail and financial firms' security teams are losing the fight against structured threats that outgun them by orders of magnitude. The financial penalties incurred by breach victims are in the scores of millions, collectively, and it is questionable whether these penalties are producing anything of value apart from legal caseload. Does it make sense to penalize the victims of data breaches when they were overwhelmed by structured threats? Are these fines and lawsuits an efficient method for driving positive change (scores of millions spent on security programs - rather than lawsuits - might have made a difference).

During the course of my career I've learned how important metrics and measurable performance indicators are when trying to illustrate risk and develop a business case for funding security programs. This morning I found myself thinking along these lines: should we scrap the existing breach reporting system for merchant organizations? We could replace it with a simple metric that continuously measures effectiveness of security programs and does not measure solely on whether or not a firm has avoided a messy breach spectacle (which is a rather simplistic and inefficient motivational tool after all - it only drives budget dollars to security programs after a catastrophic loss).

We don't evaluate most products and services based on their ability to avoid disaster; we evaluate them continuously on quality and performance. For example, require publication of, say, rates of fraud - either fraudulent transactions per 1,000 or the fraud percentage of total transactions or business volume. This is a simple, continuous and unbiased measurement of how successful (or not) security programs are. We could reward high performers for low fraud numbers (though the marketplace would likely take care of this).

Of course, the consumer may need to be educated that fraud rates are generally non-zero; in the financial world, the cost of zero fraud (in the form of increased security, risk avoidance and lost business) is sometimes more than the cost of low amounts of fraud. It would take a paradigm shift, but if it could provide a simple, clear cut metric it might possibly be a more effective motivational tool to build (and fund) security programs and actually prevent - or reduce - breaches as a consequence of containing and reducing fraud numbers. Fraud reduction is a perfectly reasonable goal; one could argue driving toward the goal of "either one is impenetrable, or else a failure" is a false (and possibly irrational) goal.

No comments: