Global Security Forum

 View Only
Expand all | Collapse all

How much security is sufficient ?

  • 1.  How much security is sufficient ?

    Posted Tue April 16, 2019 10:22 AM
    "Security is a feature and not functionality"

    Security is as good as your weakest component.

    Systems strength is measured from its weakest link.

    What is your opinion on "How much security is sufficient"

    My opinion- It depends upon the data/asset that you want to protect.
    The goal of security is to protect, whereas, the goal of attacker is to defeat your security.
    Based on the security characteristics (Availability, Integrity, Confidentiality, etc..) we can chose the security solution to protect our asset/data.

    In short, Security is a process and not a product. So if you can measure and control you security you should be able to optimize the security to make it enough for your use case.

    ------------------------------
    Karanbir Sekhri
    ------------------------------

    ------------------------------
    Karanbir Sekhri
    ------------------------------


  • 2.  RE: How much security is sufficient ?

    Posted Wed April 17, 2019 05:31 AM
    Hi Karanbir,

    I'd look at it slightly differently: it depends on the value that the business places on the data/asset it wants you to protect.

    That extra layer makes a lot of difference. If a company really doesn't care about whether access to its crown jewels are properly protected, there's no point in trying to put in proper controls (people will circumvent them, and the business will let it go). In those circumstances I'd suggest finding another company.

    But if a company cares enough to understand what it must protect and what it could let go; listens to good advice on what appropriate controls are available; and implements those controls - well, you're a very fortunate person.

    ------------------------------
    James McLaren
    ------------------------------

    Original Message


  • 3.  RE: How much security is sufficient ?

    Posted Wed April 17, 2019 11:28 AM
    The level of security must be determined by evaluating the level of Risk the organization is willing to accept in a particular area. Risk is the valuation of an area that is vulnerable, likelihood of attack, and the business impact if security fails to stop a breach or attack. 

    The organization may decide that sufficient level of security is only to have awareness that the threat exists, or that detection of a breach is sufficient, or that only their endpoint security is sufficient....or a combination of all, and to include many more security considerations not mentioned. 

    The answer is going to be different for each organization that ponders the question.

    ------------------------------
    Scott Johnston
    JohnsTek, Inc
    Miramar FL
    7863759020
    ------------------------------

    Original Message


  • 4.  RE: How much security is sufficient ?

    Posted Wed April 17, 2019 09:10 PM
    Great question!  I think Scott stated it pretty well.  To add to that..

    If you are a business that cares about the bottom line, you will not implement a security control, if you don't see ROI for it. 

    Remember though that there's easy to identify costs for a breach (as an example), such as fines and penalties, but then there's the much harder ones to ascertain as well, like loss of business due to public perception.  In the end, if you add up the ALL of the costs together and it's less than what you are paying for the security control, it just makes good business sense to not implement the control. (Unless you have a moral desire to implement it anyway, and that could be the case)

    The problem is, how do we put an exact price on the loss of business due to public perception?  You can guesstimate or look at statistical information based on history, not it's not an exact science.  Sometimes it's better to err on the side of caution and just implement the security control in question.

    Just my two cents!

    ------------------------------
    Eric Newman
    ------------------------------

    Original Message


  • 5.  RE: How much security is sufficient ?

    Posted Thu April 18, 2019 05:10 AM
    Eric,
    I think that you are correct, Scott nail it. Regarding your comment I would generally agree, I was even researching data to create a nice story about this topic (public perception  and company valuation, since is the only way to assess cost of public perception) and found compelling information that was showing that there is a direct correlation between company valuation and breach disclosure. But as I learned that we are biased I decided to research more and more and more until I found an article on Schneier's blog called Security Breaches don't affect stocks price, He links to a PhD dissertation that evaluated data from 60/90/180 days stock prices from breached companies and their peers (companies on the same industry that were not breached) and they found less than 0,5% difference on their stock valuation. Just showing an other of our biases. We tend to forget very fast.....

    I read the document and they have a very good case on their side. Since then I'm rethinking my presentation strategy ;-)

    ------------------------------
    Sebastian Guerrero
    ------------------------------

    Original Message


  • 6.  RE: How much security is sufficient ?

    Posted Thu April 18, 2019 07:44 AM
    Perhaps I have become numb to the constant stream of breaches, but it seems in the end nobody really cares. There is a kerfuffle for a while then everyone goes back to their routine. I doubt that Target lost any customers in the long run, and Equifax is essentially unharmed.​ "So our customer data got breached, buy them some credit monitoring for a year and lets get back to business....how can we rake in more money"

    ------------------------------
    Neal Fildes
    ------------------------------

    Original Message


  • 7.  RE: How much security is sufficient ?

    Posted Thu April 18, 2019 07:56 AM
    Thank you Eric and Sebastian...very interesting expansion of the discussion. In fact, over the past 5 years I had 3 CEOs in the Medical Services community respond to my MSSP pitch with statements very similar to the point Sebastian raised. 

    The tide is changing in the US Courts in that corporate executives have been found negligent for not properly addressing security concerns in their own enterprise when personally identifiable information was lost. This trend should be cited to potential clients as an additional factor to weigh in their own Risk Tolerance assessment. 

    The burden is on us, as Security Professionals to quantify Business Impact (in this case profit loss) due to lost confidence of customers, fines from authorities, and the additional cost of Response and Recovery during an urgent circumstance rather than implementation of a planned response. 


    ------------------------------
    Scott A. Johnston
    JohnsTek Inc.
    ------------------------------

    Original Message


  • 8.  RE: How much security is sufficient ?

    Posted Thu April 18, 2019 10:05 AM
    Excellent point.  I guess if I were a C-level exec, regardless of how small the cost to the company is for a breach or loss of PII, I might shell out a few bucks for security if it keeps me out of jail. ;-)

    Also, depending on what organization you work for, such as Police dept, CIA, aircraft manufacture as a few examples, there may be lives at stake too.  That adds a whole new perspective.  While in our legal system in the US, lives unfortunately do sometimes equate to money, there always your conscience  and what you're willing to live to consider as well.  Complicated topic, I guess.

    ------------------------------
    Eric Newman
    ------------------------------

    Original Message


  • 9.  RE: How much security is sufficient ?

    Posted Fri April 19, 2019 04:56 AM
    Hi all
    This is a great conversation and very interesting. Am very interested to read the study about the impact on stock price following a data breach. Maybe my concern here more than stock price is the goodwill that a company holds, it may not be that good will is an accounting concept in all jurisdictions but I think it is of value in itself. My theory here is this and am open to correction: if data is lost or stolen, the percent value of the company to be effectively lost is up to and beyond 100% of the value of the company. I know some of you will disagree based on study mentioned, and I'm theorising here. However if you think about it this way - if you lose your IP including patents, secret formulas or product strategies, key financial or legal information, or anything else that should remain confidential, then in the hands of your competitor this can be gold for them and a big-time loss for you. Can I back this up? I've found anecdotal information about Oracle vs Microsoft and Unilever vs Procter & Gamble (see CBS references below). But more than this there seems to be a serious study in terms of mathematical calculation of impact on baseline company value based on competitive data theft. So just saying that 1% on stock value over a period may not be enough .... Thoughts?

    https://www.cbsnews.com/news/thou-shalt-not-steal-thy-competitors-secrets/

    https://www.brookings.edu/wp-content/uploads/2016/07/Cyberenabled-Theft-of-Competitive-Data.pdf

    ------------------------------
    Eamonn O'Mahony
    Technical Account Manager
    IBM Ireland
    Mulhuddart
    ------------------------------

    Original Message


  • 10.  RE: How much security is sufficient ?

    Posted Fri April 19, 2019 12:59 PM
    Eamonn, I believe that it is based on circumstances surrounding the breach, data loss, and perception of the company before and after the breach.  Consumer confidence plays a large role in the stock valuation. However, history has shown that some companies are able to overcome and bounce back from public humiliation (Target, Verizon), while others never do (Arthur Anderson).  Was it due to sensitivity of the product? Arthur Anderson betrayed consumer confidence while managing their personal wealth, and Target and Verizon offer consumables where the customer is looking for the best deal regardless of the corporate perception. 

    To circle back to the role of Information Security, the "more than 100%" potential loss must also include fines levied by court rulings. Many commercial organizations must be compelled to provide adequate safeguard of consumer information, and therefore, they are looking to do it using the most economical means necessary while providing reasonable protection that would prevent them from being accused of negligence.

    ------------------------------
    Scott Johnston
    JohnsTek, Inc
    Miramar FL
    7863759020
    ------------------------------

    Original Message


  • 11.  RE: How much security is sufficient ?

    Posted Tue April 23, 2019 04:48 AM
    Hi Scott
    You make some very interesting points. As you say the ultimate cost to an organisation may be tied as much to perception of the intrinsic value of the data lost as well as the market sector / tier in which the organisation operates.
    From a consumer perspective I know that GDPR has made handling data security more complex for organisations but as an EU consumer and citizen I think I benefit greatly from such protections. At the same time, government and government-sponsored organisations intervening in data regulation may spark a political conversation and I don't intend to do that here!  
    As you say there is a balance to be achieved between cost of data protection measures, and the necessary measures being put in place to ensure data is not lost. 
    Best

    ------------------------------
    Eamonn O'Mahony
    Technical Account Manager
    IBM Ireland
    Mulhuddart
    ------------------------------

    Original Message


  • 12.  RE: How much security is sufficient ?

    Posted Thu April 25, 2019 04:41 AM
    Hi Eamonn,

    GDPR dictates risk based security, meaning that you have to analyze what risks personal data - in GDPR case - you are facing and how you protection is designed for them. In general this is exactly what you need to do in the case that you want to find out what money you need to spend on security. And as James already stated, it is depending on the value of the asset. In there you need to find a balance.

    One thing in your question I would like to  point out is about attacker. This sounds like a deliberate action of an outsider. The threat landscape is much broader than that, you also need to think of insiders, errors and mistakes. Insiders can much easier do you harm. Errors in the systems you use can cause incidents as well. Lastly, the human factor causing mistakes is also something to consider. And then never forget other external factors, like fire, weather, rivers floating over, etc.

    For all these threats you give them a percentage on chance they actually happen. Given the value of the damage - impact - of these incidents, you know how much to spend on security.

    Then the next question comes up: will the security you have implemented really protect you on the level expected? You need to regularly test that, and keep on testing. The threats and also your systems change overtime, so that is why it is a process.

    All in all, a very good question and I do no believe there is 1 global answer to that. You build your security fit to your situation to a level where you feel comfortable with (the comfortability level is also called your organizations' vision and policies).

    Best regards,

    Bart van Moorsel
    Solutions Design Specialist, CISSP
    Tech Data

    ------------------------------
    Bart van Moorsel
    ------------------------------

    Original Message


  • 13.  RE: How much security is sufficient ?

    Posted Tue May 07, 2019 09:23 AM
    Can you really put a price on security? I guess everything had a budget at the end of the day but you always need to think of the sort of situations you may be avoiding by spending a little more $$ upfront.

    ------------------------------
    Zeb Wales
    ------------------------------

    Original Message


  • 14.  RE: How much security is sufficient ?

    Posted Tue May 07, 2019 09:42 AM

    The trouble is that if you can't put some sort of figure on it, the business will refuse to pay anything for it...

     

    James

    This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal

    DISCLAIMER: This email communication does not create or vary any contractual relationship between LogicalisCI and you. Internet communications are not secure and accordingly LogicalisCI does not accept any legal liability for the contents of this message. The contents of this email are confidential to the intended recipient at the email address to which it has been addressed. It may not be disclosed to or used by anyone other than this addressee, nor may it be copied in any way. If received in error, please contact LogicalisCI on the above number (listed as Main) quoting the name of the sender and the addressee and then delete it from your system. Please note that neither LogicalisCI nor the sender accepts any responsibility for viruses and it is your responsibility to scan the email and attachments (if any). Please be aware that LogicalisCI may monitor email traffic data and also email content for security purposes.

     

    The following companies are collectively referred to in the above statements as LogicalisCI:

     

    Logicalis Channel Islands Limited, Registered in Jersey No: 67161, Registered Office: Rue A La Dame, Five Oaks, St. Saviour, Jersey, JE2 7NH

     

    Logicalis Jersey Limited, Registered in Jersey No: 10124, Registered Office: Rue A La Dame, Five Oaks, St. Saviour, Jersey, JE2 7NH

     

    Logicalis Guernsey Limited, Registered in Guernsey No: 10896, Registered Office: Pitronnerie Road, St. Peter Port, Guernsey, GY1 2RF

     




    Original Message


  • 15.  RE: How much security is sufficient ?

    Posted Wed May 08, 2019 09:36 AM
    Hi Zeb,

          For calculating Return on Security Investment (ROSI) , you need to calculate the probable loss that may have occurred but has been saved by placing any security solution/services. This probable loss can be used as ROSI.​

    ------------------------------
    Prakash Kumar Ranjan
    ------------------------------

    Original Message