I recently saw a tweet from Gene Kim that included “Grt infosec leads to grt #compliancecost!” With much anticipation I read the report. It’s worth your time and could be a valuable resource.
The gist of the report is to increase information security effectiveness to reduce losses from incidents and fines. That sounds great when I phrase it that way. In my opinion, Tripwire’s approach to communicate this message reduces the value of information security and pulls us back toward the SOx monkey age. The report defines everything involved in information security e.g. IT, legal, HR, etc., as “compliance costs.” Losses resulting from incidents or failed audits are labeled “non-compliance costs.”
So, security isn’t here to enable the business to manage risk to an acceptable level, it’s here to comply with PCI, HIPAA, SOx, GLBA, etc. And if you spend more to comply, you’ll experience fewer losses. So much for compliance being a feature of effective security practices.
Next, the report details the effectiveness of your security program isn’t related to the amount of money spent on security related activities aka “compliance.” The report uses a Ponemon Security Effectiveness Score to measure participants. (I’m not familiar with SES but it sounds very interesting.) The report does a great job showing increases in security program effectiveness reduce loss. In my opinion, this should be the title of the paper.
The next point confuses me a little, losses from incidents and fines aka “non-compliance costs” are related to security spending as a % of IT. Thus, the more you spend on security, the fewer losses you incur. Didn’t I just read effectiveness isn’t related to spend?
Here’s some excerpts taken out of context so be sure to read the report:
- suggesting no apparent relationship between compliance cost and security effectiveness
- organizations with a strong security posture enjoy a lower non-compliance cost
- spending on core compliance activities reduces the cost of non-compliance
How about this interpretation: Improve your effectiveness to reduce loss. If you need to increase spending to get there, here’s evidence showing losses are 3x the cost of running a resilient IT service.
So Gene’s tweet was right, great information security leads to lower losses. I wish Tripwire could say it that way.
Am I off the mark here?