A model for Information Security Spending Analysis

I have been in several discussions recently where the idea of analyzing Information Security spend has been a topic. The ideas have either been wildly different, or have used a model that is difficult to understand and not replicable by other organizations. We have used a model that seems to be somewhat unique and every time I share it I get a ton of positive responses. I hope to describe the concept in enough detail here that anyone can replicate the process in their own program.

Early on in our Information Security Program development we determined we needed to really hone in on the controls and applications that move the needle of our InfoSec security posture the furthest and fastest. Sometimes that meant using built-in (FREE) controls, even if they weren’t the easiest to use or most effective.

After we got a little further into the journey (you know this is a journey, not a destination, right?!) we needed a way to determine if we were continuing to move the needle. What was our next best spend?

As we thought about our tools and what was the next best spend, we realized we needed to think about how the attackers were attacking. We thought the Lockheed Martin CyberKill Chain was a really good model that we could use to begin to use for spending and fiscal analysis.

In the CyberKill Chain, there are 7 distinct steps an attacker goes through to leverage an attack against an organization: 1) Reconnaissance, 2) Weaponization, 3) Delivery, 4) Exploitation, 5) Installation, 6) Command and Control and 7) Actions on Intent. Cyber Kill Chain

As a defender, the further to the left we can shift our controls, typically the cost is lower and the damage is lower. As an attacker makes it further into the environment, more damage is likely done and more cleanup is needed.

We also recognized that some attacks can be prevented, but others are either difficult, expensive or impossible to prevent. Therefore, detection may be the proper control for those attacks.

This led us to create a grid similar to the following:

 

InfoSec Spend Analyzer
Stage of Attack Prevention Technologies Detection Technologies Percent of Total Spend
Reconnaissance      
Weaponization      
Delivery      
Exploitation      
Installation      
Command and Control      
Actions on Intent      
Percent of Total Spend      

table code generated from https://ianrmedia.unl.edu/responsive-table-generator-tool

Each of our security tools map to at least one of these cells. This began to give us a view towards our spending for each step of the attack methodology deployed by attackers. It also gave us a view toward whether we were preventing attacks or only detecting them. We could then do further analysis on a person, workstation or department basis to see the cost to secure systems and ultimately our data.

I would be interested in having conversations with other organizations to do a comparison of spending in each stage of the KillChain and whether there should be a specific percentage allocated to Prevention technologies versus Detection Technologies. My experience is that as we have matured our InfoSec program, our spending patterns have changed. It would be interesting to hear from others whether they have a similar experience.

One of the unintended benefits of this approach is when working with vendors. I can provide this grid to a new contact who would like to engage in a conversation about their product. I ask that vendor to select the cell their product functions and then we can have a conversation about what tools we already have in place and whether this is the next best spend for our organization. It is sometimes interesting to see the responses of vendors as they have never thought about their products in this way. Occasionally, a vendor will recognize that we have sufficient spend in that area and that it wouldn’t make any fiscal sense to replace the tools we already have in place. That makes my job much easier!

If you find yourself interested in having a further conversation about how this model might apply to your organization, please fill out a contact form and we can work out a time to have that conversation.

In the meantime, here’s to good security practices for all!

One thought on “A model for Information Security Spending Analysis

  1. Excellent insight Randy and a tool I will likely leverage – very much appreciate your post! An alternative approach might be to use the NIST CSF framework instead of the kill chain as it may provide a broader view and perspective to those who have adopted the NIST CSF. Exact same approach of Prevention vs Detection, but you could expand to people and process in addition to technology.

Comments are closed.

RELATED POST

What I want from my leader survey

This content was initially created by Garret Ledbetter, but in a webserver transition, the content was lost. I am posting…

Listening to Learn

So many Cybersecurity professionals get caught in a trap when asked a question. The trap is that we immediately begin…

Do you know what your employees want from their leader?

I have been talking with Garrett Ledbetter over at The Leader Effect about what our experiences have been with leaders…

Become the Department of K-N-O-W, not the department of N-O

Cybersecurity professionals have an important role in organizations to help manage risk. However, many have gone down the path of…