UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.

Security ROI, Shakespeare, and a lot of noise.

Absent Member.
Absent Member.
0 1 3,864
Mike Fratto takes an interesting position in his blog on InformationWeek in which he argues that efficiency as a way of driving security ROI is really something of a distraction at best. His point, and I don't disagree with it as far as it goes, is that ultimately security purchases should be driven based on the security gains they provide. Dressing them up as efficiency gains isn't going to get the job done when it comes to justification.

"I am not saying that you should continue inefficient operations if you have an opportunity to become more efficient. I am saying that ROI isn't the best way to sell security purchases. You have to address threats and risk reductions. "

Part of Mike's argument is that simply repurposing members of staff from one task to another doesn't really work.  However, I think what's missing from this argument is an assessment of the amount of time that highly trained (and therefore often expensive) security team members spend performing routine, mundane tasks.  The quantity of event noise that must be dealt with, the volume of distraction that ultimately gains little, or could be done more cheaply, is a factor that should not be overlooked.

Let me give you an example. It's 3am, someone resets the password on an account that has access to a sensitive file server, using a service account that rarely ever gets used, without there being a request in your corporate ticketing system. Could this be a problem? Well, yes. Unless you're feeling particularly trusting, it might be a good idea to do a little digging on this one. By the same token, it's 9am, someone rests the password on an account with access to the same system, from an authorized admin account, and after a business-owner had requested the change by raising a ticket. Still need to hit the alarm button? Of course the answer is that you may need to check what's going on, but I'm guessing the priority on the first event is going to be a tad higher than the second. The point, however, is that almost certainly the same team of people are going to have to evaluate each event. In the first case, it's all hands on deck, in the second, it's probably nothing to worry about.

What if, as part of the way the security technology was implemented, the capacity to make determinations like that are fully automated and happen before your security team needs to become involved? The reality of many security operations teams is that they spend a lot of time filtering through information that, to quote Shakespeare "...is a tale told by an idiot, full of sound and fury, signifying nothing."

Operational efficiency in security processes, especially when delivered through automated workflows, can genuinely provide efficiencies that you can take to your CFO and stand behind. Yes, the gains must be security gains, but reducing the distraction of the non-event management and allowing the same teams to drive real security gains 'without having to hire more people just to keep the wheels on' is the best security ROI news you're likely to see for a long time.
1 Comment
Absent Member.
Absent Member.
Well, since apparently I'm on a Shakespearian kick it seems like a good idea to discuss foul infamy
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.