Stop wasting money on security

Organizations can prevent costly attacks on their infrastructure when they stop following security dogma and chasing vulnerabilities and fancy new security devices.

COMMENTARY--Our network and Internet security programs are generally failing.

While viruses, worms and hacking attacks continue to evolve, the costs of security failure have about doubled for each of the last five years. It has been standard practice for too long for companies to counter this trend by investing in additional security technology. In the end, however, they still lag the hackers and the malefactors of malicious code.

All that's left is a rapidly growing budget with no end in sight to a growing security headache for IT departments.

IT security is all about mitigating organizational risk. No organization, whether it's a private firm or government agency, has unlimited resources to apply to security--especially in the current economic climate.

But too many organizations are obsessed with testing and fixing vulnerabilities when there is no associated threat. Or they turn their attention to computer-centric vulnerabilities when the organization is already reasonably protected, not understanding whether a real risk actually exists.

Organizations need to step back and make a closer assessment of the three components of risk: threat, vulnerability and cost.

Threat is the frequency of potentially adverse events. For example, the threat rate of an insider using somebody else's logged-in PC to inappropriately access restricted information is approximately four per 1,000 users per day. The threat rate of virus encounters by an organization with 1,000 PCs is 136 per day, while the threat rate of "attack-related scans" is about 17 per IP address per day. A local organization's geography, political stance or some other factor may expose it to more or fewer threats. But instead of focusing on becoming risk experts, most companies need only to deal with potential threat rates. Those threats that never materialize are not worth the extra worry.

I define vulnerability as the likelihood of success of a particular threat to a specific organization. Computers are either vulnerable or not to a particular threat. Companies almost always provide some way to limit their vulnerability. Even if the controls are individually less than ideal--perhaps just 80 percent effective--they still can provide an extremely strong organizational barrier to any threats. What's more, these controls also are often significantly less expensive, easier to maintain and less intrusive than individual, supposedly "strong" controls.

The hard-dollar costs associated with risk are measured in terms of the damage to sales, cash equivalents and the amount of IT-staff time and resources devoted to repair a breach. Then there are "soft-dollar" costs that include meetings, user productivity, public relations damage control, as well as any decrease in public confidence or lost business opportunities.

When at least one of these three components is missing from the equation, there's no immediate risk to the organization. This approach eliminates unnecessary spending. It also provides equal or better protection through means that most companies either already have--or can put in place with existing people and technologies.

For example, the built-in lack of vulnerability at the corporate level makes about half of Microsoft's "critical" patches unnecessary. If you know you have filters, topologies, configurations or other controls that also address a particular risk, you can delay or eliminate another 50 percent to 70 percent of the proposed fixes.

There's a larger lesson here. Organizations need the equivalent of brakes, seat belts and steering, not antilock, antiskid brakes, with rack-and-pinion systems. Best practices are less useful than a comprehensive, risk-based approach that generates practical and achievable security.

Organizations can prevent costly attacks on their infrastructure when they stop following security dogma and chasing vulnerabilities and fancy new security devices. You don't achieve security by blowing everything up and starting over or by incessantly spending money. You do it through a rational, pragmatic focus on the real problems.

Dr. Peter Tippett is CTO of TruSecure. He is widely credited with creating the first commercial antivirus product, which later became Norton AntiVirus.