What's a reasonable approach for a security leader to demonstrate need?
Instead of a hard calculation of ROI, I would recommend a "Risk-Based" approach that compares known risks and impacts. This approach requires a CISO to rank risks in partnership with the business line leaders who own the risks. At the end of the process, both the CISO and the business divisions decide what solutions are funded. Of course, this approach and the ROI approach both require subjective assessments. The benefit of the Risk-Based qualitative ranking is that it requires a lot less work than a fictional quantitative approach. The resources devoted to crunching subjective numbers for an ROI calculation can be better spent elsewhere.
A lot of companies continue to pour cash into prevention. Based on your experience, are we focusing too much on prevention?
A CISO's fundamental value to an enterprise is his or her ability to get the best return on the security expenditures an enterprise makes. A security budget, at the end of the day, is a series of well-informed bets on what threats the enterprise faces and what solutions will help mitigate them. In my view, most CISOs are betting, even doubling down, on technologies and strategies that have proven time and time again to be ineffective. In particular, and I am not alone in thinking this, signature-based approaches and perimeter defenses are losing bets today and will only prove less effective in the future.
When I served as the head of the Cyber and Special Operations Division of the FBI's New York Office I had a chance to review and supervise a number of high-level network intrusion cases. In each case, one of the most important questions was how did the adversary get in? In almost all cases, the answer was "we don't know." The adversary just showed up with valid credentials. Time after time, victims were left with little information on where to shore up their defenses. The only thing they knew for sure was that expensive AV, IDP/IDS, and all their perimeter defenses had not been enough.
As an FBI cyber executive, I also had a view of the "offense" side of cyber security. It's no secret that the US has some very capable cyber warriors. In my dealings with these awesome young men and women, the most troubling take away was the realization that perimeter defenses are not much of an obstacle. You don't need an expensive zero day to get inside a target's perimeter and move laterally. Most signature-based defenses can be defeated with slight modifications to the malware's code. This leads us to question the value of investing in perimeter-based defenses. Even behavior-based defenses, which can be very effective, require a great deal of time and human resources to fully implement.
Sign up for CIO Asia eNewsletters.