I have been in several discussions recently where the idea of analyzing Information Security spend has been a topic. The ideas have either been wildly different, or have used a model that is difficult to understand and not replicable by other organizations. We have used a model that seems to be somewhat unique and every time I share it I get a ton of positive responses. I hope to describe the concept in enough detail here that anyone can replicate the process in their own program.

Early on in our Information Security Program development we determined we needed to really hone in on the controls and applications that move the needle of our InfoSec security posture the furthest and fastest. Sometimes that meant using built-in (FREE) controls, even if they weren’t the easiest to use or most effective.

After we got a little further into the journey (you know this is a journey, not a destination, right?!) we needed a way to determine if we were continuing to move the needle. What was our next best spend?

As we thought about our tools and what was the next best spend, we realized we needed to think about how the attackers were attacking. We thought the Lockheed Martin CyberKill Chain was a really good model that we could use to begin to use for spending and fiscal analysis.

In the CyberKill Chain, there are 7 distinct steps an attacker goes through to leverage an attack against an organization: 1) Reconnaissance, 2) Weaponization, 3) Delivery, 4) Exploitation, 5) Installation, 6) Command and Control and 7) Actions on Intent.

As a defender, the further to the left we can shift our controls, typically the cost is lower and the damage is lower. As an attacker makes it further into the environment, more damage is likely done and more cleanup is needed.

We also recognized that some attacks can be prevented, but others are either difficult, expensive or impossible to prevent. Therefore, detection may be the proper control for those attacks.

This led us to create a grid similar to the following:

table code generated from https://ianrmedia.unl.edu/responsive-table-generator-tool

Each of our security tools map to at least one of these cells. This began to give us a view towards our spending for each step of the attack methodology deployed by attackers. It also gave us a view toward whether we were preventing attacks or only detecting them. We could then do further analysis on a person, workstation or department basis to see the cost to secure systems and ultimately our data.

I would be interested in having conversations with other organizations to do a comparison of spending in each stage of the KillChain and whether there should be a specific percentage allocated to Prevention technologies versus Detection Technologies. My experience is that as we have matured our InfoSec program, our spending patterns have changed. It would be interesting to hear from others whether they have a similar experience.

One of the unintended benefits of this approach is when working with vendors. I can provide this grid to a new contact who would like to engage in a conversation about their product. I ask that vendor to select the cell their product functions and then we can have a conversation about what tools we already have in place and whether this is the next best spend for our organization. It is sometimes interesting to see the responses of vendors as they have never thought about their products in this way. Occasionally, a vendor will recognize that we have sufficient spend in that area and that it wouldn’t make any fiscal sense to replace the tools we already have in place. That makes my job much easier!

If you find yourself interested in having a further conversation about how this model might apply to your organization, please fill out a contact form and we can work out a time to have that conversation.

In the meantime, here’s to good security practices for all!