If you’ve ever played chess, you know that each move you make has to be the best move. At one level, this is painfully obvious — after all, who would choose to make a terrible move instead of a better one? — but it’s illustrative of an important concept.
Specifically, the core reason it’s true is that each individual move in a game like chess comes with an associated “opportunity cost.” Making a suboptimal move represents a lost opportunity to do something better: say, a game-winning move that you could have made but didn’t.
I’m bringing this up because establishing a security program is in many respects exactly the same. We don’t have infinite resources (money, time and focus). This is a truism, but it implies that everything we do comes at the cost of something else — what we could have applied our resources to but didn’t.
Optimal Risk Reduction
In the context of a security control or countermeasures, this means that when we implement something that performs poorly, is expensive to operate and maintain, or that is suboptimal in some other way, there are a number of other things that could have had much more impact in reducing risk that we didn’t implement. This is the “opportunity cost.”
Now, most organizations don’t think about their security controls in this way. However, remember that good governance — in this case the governance of your cybersecurity efforts — is about ensuring that stakeholders receive the most value from the choices that you make.
In this case, the value is derived from ensuring that you are using resources most effectively in reducing risk. One ingredient that I often see missing n the field is understanding of the practical steps required to assess a security program in this way — which I’ve written about before. With that in mind, I decided to outline a relatively simple process that practitioners can follow to use an economics-aware approach to understand, assess, and optimize their security efforts.
Cultivating Your Inner Bean Counter
The very first thing you’ll want to do is gain an understanding of these two things: the risk profile of your environment, and the resource consumption footprint of the countermeasures you have fielded. This is a little harder to do than it sounds.
It’s hard because formalized risk management isn’t something many organizations do well. In this case, though, it is critical because you need to understand with some degree of precision what the risk impact is for existing controls, or what it will be for those you may consider adopting, so that you can determine how much risk can be reduced per unit cost of your investment.
It’s also challenging because many security programs don’t track the ongoing costs (the resource consumption footprint) associated with the acquisition, operation and maintenance of the controls they deploy.
Looking at the total cost of ownership for controls is advantageous because, by doing so, you can understand the full picture of how your resources are being used. In combination with the risk information you collect, you can make decisions about the optimal use of resources.
How can you start doing this? The first part is simple. If you don’t do it already, start with some method of formalized risk management — at least the assessment and measurement phases. The goal of this part is to understand unambiguously what risks you have in your environment, as well as the impact of your controls on reducing them.
The reality in the field is that risk management is the kind of thing that we know we should be doing, but is one of the first things to fall by the wayside when time and deadlines get tight and there are fires to put out. This is a good practice to do anyway — in fact, it is required for regulatory compliance in some industries — which means that doing it almost certainly will provide value regardless of whether you use it for this or something else.
The second part — understanding the total cost of ownership for controls — is a little more difficult because many organizations aren’t used to looking at controls in this way. Ideally, we’d want to understand the total cost of ownership for what we have in place now, as well as future investments we might make.
Realistically, though, some information (e.g., data about controls purchased in the past) may not be available. Therefore, for existing controls, focus on what it takes resource-wise to operate them. Account for any costs like licensing, support, hardware or cloud usage, etc. Also, collect information about staffing resources used in support of each control. The goal is to build a complete picture — both in dollars and time — of what each control costs.
Once you have this information, you can begin to use it to help guide your program. The most straightforward utility is in budgeting and planning for future activities. With risk information in one hand and the resource utilization costs of mitigation in the other, it is relatively straightforward to understand how much risk mitigation value you will get from a particular investment vs. what you’d get by doing something else.
This is useful, of course, but there is more value to the exercise than this. Specifically, there are two things you can do with it. The first is to know when to give up on costly investments that are not providing tremendous value. Depending on the implementation of a given control, it is possible that — over time — the same outcome could be accomplished through something more cost-effective or that requires fewer staffing resources to run.
It’s natural for this to happen: Situations change, technology changes, how the business employs technology changes. Therefore, a deployment that made perfect sense and that initially was highly efficient (significant risk reduction per dollar spent) may have that value erode over time.
At some point, the cost of upkeep for some controls will exceed that of bringing in a new one that does the same thing (even accounting for the costs of acquisition — year one costs — which can be significantly higher).
This means you may have some hard decisions to make. For example, you may conclude that a given tool, system, control or countermeasure is providing less value than you might get through another approach or service provider. On the plus side, you have the information to use your resources most effectively. On the downside, it brings to light hard decisions and force you to have discussions that may be uncomfortable to have.
This approach absolutely will take some getting used to. That said, understanding the opportunity costs can provide tremendous value as you look to optimize the measures you take to address risks in your organization.