During the last months my main interest is enterprise security planning. How should an organization define how to spend its security resources, what should be done and in what order? Risk Management is usually the answer for that (please DON’T SAY COMPLIANCE!), but IMHO the risk assessment methodologies out there just don’t scale to a point where they can be used to drive security decisions in an enterprise level. You start using so many “educated guesses” that the end result is just not intellectually honest, everything is extremely biased to what people believe that are their major risks that just a simple brainstorm would probably generate the same results. Have you ever seen the results of an enterprise level RA being a surprise to anyone (except for dumb as hell CISOs!)? I haven’t.

I don’t think that Sensepost approach escalates well too, but it seems better than regular RA for me. I believe we can come tom something that is “threat oriented” than can generate a better understanding of an organization security requirements and help the development of a security strategy. After that we will finally be able to bury ROI/ROSI stuff and stop pretending that those beautiful tables with numbers, “high/medium/low”s  or “green/yellow/red”s are something more our minds tricking us into believing that there is a mathematical explanation behind our intuitive perception.

Until there, you can read “Blink”, from Malcolm Gladwell (yes, the guy from the current best seller, “Outliers”), to see that simply trusting our intuitive side is not that bad, although I just can’t see a CISO telling an auditor that his security strategy is “intuition based”

As he said, security can be an enabler. I understand this statement as saying that it allows us to do something under an acceptable risk level. We could still do the same things without security and get the same savings (like using Internet connections instead of dedicated circuits). The difference is that most people won’t do that without mitigating the risks. However, in order to do that, there is a cost. That’s security. You can keep a single person submitting a transaction, that will certainly be the lowest possible cost. But, in order to reduce the risk from that person abusing the system, you add an approver. That’s a cost. The action is still the same (the transaction), but now it happens under a reduced risk and with a higher cost.

That being said, it doesn’t mean that’s something bad! There are lots of things that are costs, like insurance, fire extinguishers or employee health insurance. It’s not bad to expend that money, but you always try to find how to get the better results expending less money. If you go this way on the budget discussions, you will be following the safe way.

What impressed me most on McAfee’s post was this particular point:

“Security streamlines and clearly defines roles and responsibilities making information flow more quickly through an organization”

Wow, that was brutal! Security directly and negatively impacts productivity, that’s a fact that we can’t run away from. That’s what makes this job so interesting, trying to make that impact as small as possible. We can’t, however, deny that it is there. As Mike cleverly said, wrong way. That’s that famous ROSI (ugh!) discussion.

However, it’s important to mention that some network solutions can solve problems that have their root cause in other layers. It’s also important to perform the comparison in a time line perspective, as you may need to invest more in a specific layer now to address a gap created by past IT investments in that layer without the related security budget.