EP#96 – James Fair – How to Measure the Value of Information Security
Most recognize the value preservation in cybersecurity. But forward thinking professionals also see the value creation in having a secure information posture.
Cybersecurity is the foundation of preserving sensitive data and providing peace of mind but does it create value for the organization and if so, how do we measure that value?
Tracking the return on investment on cyber security can be challenging. Much like auto insurance, you gain the most obvious value when something goes wrong—however, that doesn’t mean insurance isn’t valuable during smooth sailing.
I invited James Fair, Senior VP at Executech, to discuss the value of compliance, measuring ROSI, the Return on Security Investment, and budgetary considerations in cybersecurity.
Join us as we discuss:
The value of cybersecurity vs the costs of a breach
Convoluted cybersecurity budgets and industry averages
How compliance supports value preservation and value creation
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player
You’re listening to The Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.
Yeah. So James Fair, as I said. I am a senior vice president at Executech and every day, I share my time between taking care of all the tech here in Utah, all the clients here in Utah, cyber security and leadership. That’s a short version.
I have been historically. I took about 10 years off and then when I went back, I went with my son and my best friend. They took me up places I had no business going and it kind of traumatized my knees at least. And my wife’s like, “You’re not going back. You hurt for a month after that, so you should not do that again.”
Yeah. Park City is an awesome place from an east coaster’s perspective, because it’s so convenient to get there. I mean, we can literally fly out in the morning and be skiing in the afternoon, which makes it relatively unique. So I’ve spent a lot of time in Park City and I’m a big fan of that area.
What I thought would be interesting to talk about today is, when you talk with CFOs and COOs, there’s this ever increasing awareness of the importance of information security, but there’s also these escalating costs. So security at what cost? And what is the true value of security to a business? I have this thought process and it comes from COVID, where there’s value creation and there’s value preservation. And I think most people look at information security from a value preservation perspective. Avoiding a loss, not having a breach, not having a disruption. And I think when you think about figuring out what the value of information security is from a value preservation perspective, it’s sort of like an insurance policy, and how do you value insurance? “Hey. I don’t think I’m going to die, but if I die, at least my family’s protected.”
Exactly. And then if you go the opposite way… And I think that some of our more forward thinking executives, they understand that there’s an increasing need to be provably secure and compliant these days. And there’s a value creation part in addition to the value preservation. And I think that’s part of the challenge, is that there’s a preservation and a creation component to figuring out what is the value of security, or I’m going to use the term Rosie. What is my return on security investment?
And one of the reasons why I thought it’d be interesting to chat with you is, I know from looking at some of the stuff that you’ve published before, that you often help clients calculate the value, the ROI, if you will, of their IT infrastructure and their spend there. So knowing what you know about what you do, estimating there, and knowing what you know about information security, I know you’re knowledgeable there. Do you think that estimating the return on security investment is a possibility?
It’s a bit esoteric. There’s no hard fast numbers we can use. I wish there were. There’s certainly some we can look at. The average ransomware attack is costing people somewhere between 250000 to 850000, so sub a million. Not to go the opposite way as you mentioned, but that’s a pretty severe hit. It’s hard to put any costs around the PR side of things, but what if your IP was exfiltrated? We see that a lot these days.
The University of Utah here in Salt Lake. They got hit with ransomware. They did everything right, and yet they ended up paying the ransom, even though they had backups they were able to recover, because they had student data that they exfiltrated. So that’s a huge cost. What is your IP worth? I’ve had the unpleasant task of trolling the attacker’s site to see the data that they were selling online, because somebody didn’t pay. And it was just astounding how much was out there.
Back to the original question though, there are some real tangible numbers we can work with. Cyber insurance, for instance. Do they give you a discount if you have some certain cybersecurity measures in place? That’s a pretty tangible number. And that’s what I would start with, I think, really. I saw a stat that said something like 80% of businesses get hacked in 2019.
One way that I know that it’s more common in the IT area, when you’re doing an assessment of a company’s IT spend, is to look at their spend against industry baselines. Company size, equivalent number of employees, things of that nature. I know you’re familiar with data on the IT side. Have you seen data on the information security side that folks can use?
I’ve seen Deloitte did a study on… but it was financial industry specifically. They were showing about 10% of IT budgets. We see everything from 1% to 13% on average, of IT budgets typically. If we consider that the… Microsoft’s CEO said they were going to spend $1 billion each year on cybersecurity. If you want to judge it against that, the 2019 presidential budget was something like 15 billion. So spend is going up for sure, but typically, 3 to 5% is what we see on average, for sure.
Okay. Let’s say a company’s 10 million for the revenue. So you throw out some numbers there, let’s get down to like… From a typical organization… I know there are no typical organizations, but if we were going to overly generalize organizations, can you give a number for what you would think an average infosec spend might be for most organizations?
That’s still not a lot, because if you look at a 50 person firm, that’s like 65,000 to 150,000. So it’s still low. So obviously that’s probably a hard cost. And that would be interesting, because I wonder how does that tie into… That probably works for a larger company, but that might not work for smaller companies. So that’s part of the danger of actually using a generic number of that sort, I guess, is that number doesn’t scale. Because I can see that number working well at, let’s say, 100,000 people or 10,000 people. But if you’re a 25 person company that processes someone else’s data and you need an ISO certificate, you’re spending four grand per employee just on the ISO certificate, let alone all the other stuff. So I guess what we just learned is that there really is no general rule of thumb. It depends on really what your information security requirements are-
… industry, the type of data you’re processing. Okay. Yeah. That makes sense.
So you pointed to this out, I think it’s so true. When you think about value preservation… Unfortunately, we don’t have the “actuarial data” that insurance companies do. If you’re a 41 year old male who smokes, you have an X percent chance of dying each year, and they can calculate accurately what the value is of that. So if you were talking with the CFO and they’re trying to have these conversations, where would you look for that data? I know like Verizon does their DBIR each year, this other industry data… Is that where you would guide people to look?
I love the Verizon Report, first of all. It’s a brilliant report, lots of insights on it. Really, I would say, start with the risk analysis. I think we’ve spent too much time doing inward-facing cybersecurity and we need to look at a risk based one. We need to create a matrix. If you’ve got a list of all the possible attacks for your industry, an estimated likelihood of those attacks and the severity in the event of such an attack, then you’ve got a matrix you can work with. Now compare that to… take the solutions required to make that happen. Estimate the cost and the difficulty to implement. Now you’ve got some intelligence you can work with. You can see what’s urgent, you can see what’s going to be easy to knock out, easy to implement. So I think we really need to move to that risk based model, and too many companies are just not there yet.
Yeah. I’d listen. You couldn’t follow a better approach. Every major framework, ISO 27001, SOC 2, CMMC, FedRAMP, all require a good risk assessment at the start of the process. You’re going to that, again, the mythical quantitative risk assessment. And the problem with quantitative risk assessments are, again, we come down to what’s the likelihood of this occurring, and the likelihood of that occurring is not in a… Let’s say we were talking about the likelihood of a tornado hitting you. Even if you lived in Kansas or a place where it was subject to tornadoes, what’s the likelihood that it’s going to hit your building and actually have impact on you? And now if we go to the even more esoteric things, what’s the likelihood that I get caught in a ransomware attack? Or I have a piece of infrastructure that doesn’t get patched and someone finds it and hits me with a zero-day. And then what does that end up yielding access too? So it’s a challenge, I guess, no matter how we carve it up, which is why we’re probably having this conversation.
Yeah. It is. It’s like I said earlier, it’s an esoteric number that’s tough to find. We don’t have enough data yet to do that. What did you call the… actuarial tables, right? I wish we did. That would make this all very clean and cut and easy. But unfortunately, all we’re working with is what we have, which is ridiculous amounts of breaches and growing every single year.
Yeah. I think one of the things you could look at… I mean, we tend to work in… I’m going to refer to it in the small to medium size enterprises most of the time. So you see these organizations that someone put in a whole bunch of sweat equity and a lot of time, to build a 100 person or a 500 person organization. I think one of the things you can look at is, what on the law side would be… Under the worst case scenario, what would be the impact to your organization? And then, are you willing to live with that impact at some point in time? It’ll still come down to some level of risk based. But knowing that there is at least some 10% ish level of chance of something occurring that has the ability to take your organization that you spent your whole life building, and put you out of business. I guess, maybe we end up at that rule of thumb at some point in time.
Yeah. And also you needed to factor in a little less worse case, but what’s the downtime cost? Let’s say you can recover from it just fine. Can you afford to be down for two days, or three days, or a week that it takes you to recover from that? So there’s downtime cost, there’s the hit to the PR, how many customers are going to be willing to come back once they find out that you’ve been responsible for a breach of their data?
That becomes an interesting one as well. You have the cost of the event, and then you have the impact beyond that cost, and like you said, reputational impact. So if you’re an organization that does mailing list processing on someone’s behalf, you get hit in a large situation that becomes public knowledge, or it becomes just the industry knowledge. Maybe you’re in a small industry where it just comes around that. “Hey, so and so got hit.” How much does that cost you in future contracts? So it’s not just that initial cost, it’s what’s the downstream impact of said events.
Yeah, gets interesting. So I prefer… and it’s so funny. You’ve probably been in a meeting where someone says, “Well, what happens if so and so gets hit by a bus?” And then someone will invariably say, “You mean wins the lottery, right?” Because no one likes to think about the doom and gloom.
And I actually really do prefer to think about the value creation component. And increasingly, when I’m chatting with clients because… Of the challenges we just talked about with the value preservation calculation, I try to get into a conversation about value creation. So the challenge on the value of creation side is, there is some level of… Infosec field of dreams, I call it. If we build it, we are going to win new customers. These customers will come. How do you recommend that a CFO looks at that concept of value creation? Is it new clients? Is it retain clients? Additional services to the same? How would you go about guiding somebody on that side of the fence, which I think is at least a more fun conversation to have with them.
Yeah. I appreciate that perspective a lot. I like the good side of cybersecurity. You don’t hear that very much though. I don’t know if you’re going to get any new clients from it. I mean, you could go out there and say, “We’ve never been hit before,” but that tends to put a target on your back.
Well, lets go a different direction. If they’re sitting there saying, “Hey, we’ll be the first company in our industry to become ISO 27001 certified and be able to tell customers.” Or we’re increasingly seeing ISO 27001 or equivalent in RFPs and bids that are coming to the market. So under that scenario, right?
So yeah, your expended options, the potential for looking at DOD contracts, other things you may not be able to touch otherwise. But I also think there’s resiliency built into this that isn’t taken into account otherwise. You become more trustworthy, and how do we put that out there to the customers? They see us as more resilient and trustworthy. We’ve got the business continuity. And some of the technology we see coming out, you can leverage to really advance things such as adaptive architectures and behavioral analysis. Those are a couple that I think will really change the landscape quite a bit. But your strategy needs to be prioritizing adaptability and confidentiality, and privacy, and safety and reliability, upskilling leaders in research and security options that are going to free up resources in the future. I think that’s where we can build a lot of value.
Yeah. The other interesting thing is, you’re probably familiar with all of the work going on in the defense industrial base with CMMC and many of these moderately sized 100 person, 50 person manufacturing organizations. If they want to continue to operate in the DIB, they’re about to be in a situation where they’ve got a six figure investment that they need to make. A $100,000 plus, which for those size organizations that have relatively simple technology footprints is a big jump. So I’m constantly having conversations with people where they’re like, “You got to be kidding me. I mean, I’d rather go out of business or I’d rather stop servicing the DIB.” And that’s a fair component. One thing though that I think resonates with them is that when I talk about the concept of that… Making an investment into cybersecurity can be a barrier to entry for your competitors.
So if you think about it, like if you’re in the DIB and there’s 30 organizations that can bend sheet metal the way that you do, and they all do a $100,000 worth of business with the DIB, and spending a $100,000 makes no sense. Well, it’s a good likelihood that 28 or 25 out of those 30 are not going to do that. So if you are the one who does that, first off, you’ve lost 80% of your competition. And then the second thing is that you don’t really have to worry about some guy starting up in a garage and starting to bend sheet metal, and trying to get into your space, because he’s got to be pretty damn well collateralized to do that. Have you seen those situations? Have you had those conversations with folks?
Yeah. I don’t want to name client names, but you’ve got some optical folks who are running a franchise… Particularly in the franchise industry we see this, where you’ve got a franchiser or a franchisee and neither of them… They got this all set up, but hadn’t really created any contingencies for what happens when our hardware is 10 years old. Now all of a sudden we have to fork lift everything out and replace it, and it’s going to cost us how much? So we see some of that… And yeah, we absolutely run into this, and with CMMC people are like, “Hey, we decided we wanted to do some defense contracts. What do we need to do to do that? And then you show them the price tag, they go, “Oh.”
Yeah. I think that that idea resonates more with the folks that are already doing business in the DIB. And it’s a matter of, “Am I willing to lose that?” And if it’s $20,000 worth of business a year, “Huh. Okay. Not the end of the world.” If it’s 500,000, now they’re in this squeaky spot of, “Is it worth 150 to preserve 5? The math gets a little bit more interesting. If you think about compliance with regulations, I know that you guys do some work with payment card and industry stuff. How does that factor into Rosie from your perspective?
Yeah. There’s a reason all those things exist inside of PCI, so it absolutely has to be a factor you take into account. And not to beat on the negative side, but there’s an impact if we aren’t compliant, then you could end up paying higher credit card fees. If you get breached, heaven forbid, I hope that never happens to anyone. But should you get breached and you have some PCI compliance that you didn’t hit, then your fine’s going to be a lot stiffer than if you had. So there’s definitely some motivation, shall we say, to do the extra spend to make sure you’re being compliant.
Yeah. And I guess on the regulatory compliance side, you have to account for that, more so, on that negative, the risk preservation side. Because even in the worst case, and we’ve seen this happen, an organization can lose its ability to process credit cards. And if you’re in certain industries, that basically means you’re out of business. Using the same analogy with our DIB clients with the 800-171 compliance, soon to be CMMC 2 compliance. If you have some type of a breach or if they just suspect that you’re not being truthful about your attestation and they drop in, you’re subject to False Claims Acts. US government recovered something crazy like 21 billion through False Claims Acts in 2020.
Yeah. They can come back. It’s crazy. And by the way, there’s a Whistleblower Act, so that the whistleblowers, they get 30% of whatever comes back to them. Yeah, so there’s incentive-
… and they can recover everything you’ve ever invoiced. And then I think they can also surcharge like $11,000 per invoice, because each invoice you’ve effectively attested to the fact that you were telling the truth when you said you were achieving the standard. So yeah, I guess the compliance component… I guess, really the way that factors into return on security investment is making sure you’re thinking through all of the implications of what happens if we fail from a compliance perspective. Okay, cool.
I know when we had our original conversation, you brought up one of my favorite people in the whole world, Vilfredo Pareto, who’s most well known for the 80/20 rule. And you talked about… you guys on the IT side are huge fans of putting in place what you referred to as an IT strategy and having a clear, longer term roadmap that guides people’s actions over a multi-year period. So we try to do the same thing from an information security perspective, and sometimes you get people like, “No, no, you don’t understand. We just need to do X.” How do you communicate the value prop of that longer term strategy and roadmap to clients to make sure that they buy into it?
One of the easiest ways I’ve found for clients that can afford it, not necessarily the small business space, but the larger ones, is uptime. Let’s not wait until something breaks. We have a life cycle in all of this stuff. What if we replaced it before it broke? And therefore you experienced far less downtime than waiting until things fell apart before you decided to replace them. So if we do that with every piece of hardware in the infrastructure, then we can justify keeping them up much more. And as the IT folks, we feel better because we know we’re replacing outdated hardware on a regular cycle. For the smaller clients, I think what really bites for them is being able to make all this work in a budget. We come to them when we say you need endpoint protection and new switches and next generation firewall, and they get deer in headlights looking at them and it’s like, “There’s no way.” So now we can come back and say, “All right, let’s put this into a budget that makes sense.” And they can start to have more predictable IT costs in both of those scenarios.
Yeah. And the other thing too, that I like about more of that strategic approach is that, it forms a set of guidelines, if you will, that folks can use to make consistent decisions on what to do. And perhaps even more importantly, on what not to do over time and make sure that every investment and every step is aligned with an end state. Because part of making IT and information security value creation, not just value preservation, is making sure that your IT and information security architectures are where you need to be, to get to where your company wants to be in three years. So if you’re working with with a company that’s intending to scale and wants to double or triple in size, if they don’t have a strategy and if that strategy isn’t aligned with a long term goal of getting them there, what they’re going to find out is that their IT infrastructure is not going to be where it needs to be when they need it to be there. Same concept on the information security side.
I guess I would add… Make sure we are in our risk analysis. We’re doing things that maybe we didn’t think about prior, such as global pandemic, a couple years ago. I don’t know if that was on anyone’s risk register. We’ve got a war going on over in the east, so maybe we need to factor in some larger things that we may not have considered. Who knows with this heat, what’s going to happen? So extended downtime, long internet outages. Let’s make sure we’re mapping the whole thing out. And-
Yeah. I was just going to say… It is so funny, because when we do risk assessment, we do them all the time. Bringing up those, what I would call outlying cases, used to be something people would roll their eyes at you at. And since the pandemic, a little bit less so, right?
Yeah. It has changed people’s perspective. Generally speaking, I’m a believer that in your worst moments, in your most challenging moments often, great things come to fruition after that. There’s value to have gone through the crucible. And in this case, I think to some extent, especially on the IT side. I think that we’ll all be better off, because so many of these things that we were quick to dismiss, we’re no longer quick to dismiss. And we’ve become so much more… Think about the idea of, three years ago, how most organizations, their ability to work in a remote situation where a building was unavailable, or where people aren’t unavailable, or transportation was unavailable, it would be unheard of. And think of where we are now three years later. So I think in most cases, I would say, most organizations are much better prepared to weather a greater percentage of the bad things that might happen.
Yeah, I totally agree with that. And some others that come up. We saw supply chain challenges. How do we deal with that? Or the great resignation. What do you do in the event of a… you can’t hire enough staff to do the job.
Yeah. You’re doing it right now. I know in the IT, like if you’re in software development and you’re looking for good software architects, and you’re looking for DevSecOps folks and good cloud architects, it’s brutal right now. Information security. I know we’re challenged constantly. I mean, we’re a small company. We have a full time person out recruiting people because of the difficulty of finding people. So yeah, we are actually, I think, dealing with a lot of that right now. So that’s really interesting.
I think the last thing I would add is, we often take the perspective of how do we stop the bad guys, and there’s nothing wrong with that. It’s a great approach. But I also want to encourage organizations to take the approach of, what do we do when the bad guys get in? How do we deal with it? So let’s make sure we’re also considering what happens when an attack happens, not how do we prevent it from happening necessarily.
Yeah. If you think about it, isn’t that effectively in some ways, the basis of Zero Trust. There’s not an organization in the world that could hold up to a sustained nation-state adversarial attack. Or if it’s not nation-state, some type of QAnon or anonymous, or one of these really talented groups. So yeah, operating under the presumption of, “I’m trying to avoid someone getting into my infrastructure,” is probably a mistake at this point in time. And operating under the presumption of, “Someone will get into my infrastructure. And how do I prevent that from having a negative impact on me?” And I think that’s fundamentally a lot of what this whole Zero Trust movement that’s being pushed by our government. The Critical Infrastructure Systems Agency and DHS is all about, is that our national economy and sovereignty isn’t to some extent tied to our both governmental organizations, but as well as the critical businesses that are integral to our economy. [inaudible 00:27:40] those 17 critical information sectors.
Structures? I don’t know what I was thinking. Cool. Anything else you want to bring up?
No, thank you. I appreciate you coming on. So I’ll ask you the question. Hopefully, you prepared. I know I got you your agenda late, so you have a little bit of an excuse, but don’t lean on it if you don’t have to.
Yeah. Dr. Strange, actually, I think would make a great CISO. He is all about protecting the small guys, creating shields defenses and working his magic to stop the bad guys, so that’s my… I’m going to Marvel answer it.
You’ve been listening to The Virtual CISO Podcast. As you probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered or you need some help, you can reach us at i[email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time. Let’s be careful out there.
To hear this practical, best-practice oriented show with Temi Adebambo