How secure is secure enough?

Computerworld - This story originally appeared in Computerworld's print edition.

If there is a Holy Grail in the information security industry, it surely is the answer to the question, "How secure is secure enough?"

It's a question that many security managers have either avoided answering altogether or tried to quickly sidestep by throwing a fistful of mainly pointless operational metrics at anyone who cared to ask.

But with a faltering economy beginning to put the squeeze on IT budgets, and security managers being asked to justify every dollar they spend, there is a growing need to come up with a better answer to the query. Increasingly, there is pressure on IT managers to demonstrate how exactly their security investments are helping them manage threats to their businesses. Companies want to know if the money they are spending on security is too much, too little or just enough.

Answering the question with any degree of accuracy involves art and luck as much as it does science, say security managers. But by adopting the right approaches, it is possible to arrive at a better answer than some might expect, they say.

Here are five steps to help you determine whether your company is secure enough.

1. Decide how secure you want to be.

To know whether your security controls are meeting business objectives, you first have to know how secure you want to be, says Krag Brotby, a consultant at the Information Systems Audit and Control Association (ISACA) and author of several books on security governance models.

There is no such thing as 100% avoidance of all risk, so the goal should be to decide how much you are comfortable with, he says.

"People often talk about acceptable risk," says Brotby, but what you really should focus on is acceptable business impact.

In other words, exactly how much disruption is your business willing to endure from a security compromise before it invests in mitigating potential threats? To make that determination, consider these questions:

• How much is the business willing to spend to mitigate a threat that poses a 1-in-10 chance of causing a business disruption worth about $2,000?
• How much would it be willing to spend on the same threat if it was likely to result in $10 million in damages?
• How long can a critical system be down?
• What sort of recovery-time objectives need to be met?
• What, if any, are the regulatory and industry compliance obligations?

"These are the type of questions that need to be asked at the executive level," Brotby says. "By the time you are through this negotiation process, you have a very strong indication of the acceptable level of impact" and can plan for the future accordingly.

2. Get a handle on asset value.

To manage risk, it's not enough just to know how serious a threat is, says John Meakin, group head of information security at Standard Chartered Bank. You also need to understand the probability of that threat actually being exploited in your environment, the value of the assets that are the targets of the threat and the likely effect on your business. Only then can you really know if the cost involved in mitigating a threat is justified, he says.

That approach has allowed Standard Chartered to do things like defer installing security patches — even critical ones — on some systems because it decided that the effort was not worthwhile, based on the actual risk.