How Much Should I Invest in Cybersecurity? What Technology Should I Invest?

Organizational risk managers and CISOs are faced with a seemingly bewildering set of investment choices and decision methods for determining the monetary amount and best technical options for cybersecurity investment. Cybersecurity investment business cases are often hard to justify since cyber operations usually do not drive revenue nor can be directly aligned to mission impact. Generally, cyber operations are a cost center, and therefore, the investment metrics and choices are usually around ways to reduce costs and risks, CAPEX vs. OPEX tradeoffs, cost/benefit and break-even analyses, comparative analyses against the investment strategies of other members of the industry sector, and trade studies on what specific protections to buy. Investment questions, on the other hand, are vastly different for those companies that are investing in the development and sale of cybersecurity tools [as evidenced by the crowded landscape graphic developed by Momentum Partners.] As illustrated by the graphic, there doesn’t appear to be a shortage of investment funds for vendors interested in developing new cyber technologies. However the range and number of cyber tools and vendors reflect the complexities facing buyers when making investment decisions.

There have been several announcements lately regarding federal cybersecurity investment plans and initiatives as the President announced his Cyber National Action Plan (CNAP), his national goals in cyber science and technology, the appointment of a Cyber Commission, and the 2017 Presidential budget in which cybersecurity plays a prominent role for four key agencies – DoD, DHS, FBI, and Commerce. These announcements brought to me a bit of déjà vu as I remember twenty years ago the President’s Commission for Critical Infrastructure Protection (PCCIP) led to many similar announcements and initiatives.

At the time I participated in the Infrastructure Protection Task Force (IPTF), an offshoot of the PCCIP work that was led by Jim Christy (also formerly the head of the Defense Computer Forensics Lab). The recommendations of the IPTF found their way into PDD 63 – Critical Infrastructure Protection. Along the way the study team conducted workshops with industry for input and to develop awareness of the cyber threat to critical infrastructure. During one of the workshops I was asked “how much damage may occur as a result of a breach or cyber incident?” And, “What is the average expected loss due to cyber incidents by type of industry sector?” Neither question did I have a good answer for at the time. Further discussion with the questioner led to the motives behind the questions – i.e., to develop an Internet insurance offering, but the questions also got me to think “How much does an average breach cost? What are the ranges in costs of breaches? How much should an enterprise invest in cybersecurity protections? How much of this investment should be devoted to cyber defenses, insurance, or education and training? What decision process and data points should an enterprise consider when making such investments?”

These same questions came back to me again as I read these recent announcements and led me on a quest this past month to begin to find answers. I discovered that even though a lot of work has been done to answer these questions over the last twenty years, there is even more research underway to understand new and old challenges. There are also products, along with mature and emerging new guidance available today to help enterprises find answers to their cyber investment questions. The next few articles and interviews you will find posted here at ActiveCyber provide an account of my quick journey.

First Stop: NIST

Cybersecurity investment strategies are often guided by an enterprise risk management approach. The concepts behind this approach are to identify your high risk areas, determine options that can serve to reduce these risks, and manage your investments to your risk appetite as constrained by your budget. These concepts are outlined well in the Federal Cybersecurity Framework and the Risk Management Framework (RMF) provided by NIST. These frameworks take a holistic, life cycle approach to investment and risk management. My recent interviews with Matt Barrett of NIST [Cybersecurity Framework] and Ron Ross of NIST [Risk Management Framework] provide some insight into these approaches.

Basically, the RMF, in particular, is tied to FIPS 199 – Standards for Security Categorization of Federal Information Systems, and its associated workbook. FIPS 199 provides a method for assessing mission impact due to threats on information systems and information types. By knowing the mission impact level of your system and/or information, you can begin to identify the minimum controls needed to protect it. The overall set of controls and the process for selecting controls are outlined in FIPS 200 – Minimum Security Requirements for Federal Information and Information; and, SP 800-53 – Assessing Security and Privacy Controls in Federal Information Systems and Organizations.

Once an enterprise has identified security and privacy control requirements, it can begin to identify gaps in its security posture to meeting these requirements. Enterprises prioritize gap-filling measures based on their budgets and risk reduction goals. Up to now this approach has generally led federal agencies to make investments in reducing costs and risks by minimizing the attack surface, such as:

• Minimizing Points of Presence, consolidating data centers, and enhancing filtering and intrusion detection services (Einstein is an example),
• Server and endpoint hardening and monitoring (e.g., STIGs, SCAP, blacklist/whitelist),
• Some level of standardization of protections (Joint Regional Security Stacks and DHS Continuous Diagnostics and Mitigation program are examples),
• Increasing network segmentation (e.g., zones, fabric switches, MPLS tunnels, firewalls)
• Reducing digital footprint (e.g., data loss prevention, browser anonymization/Tor, CSA’s Software Defined Perimeter approach)

Enterprises must also consider the cloud in their cyber investment strategies. Cost pressures are  incentivizing organizations to migrate more and more workloads to the cloud and to proceed further with mobile and IoT applications making it more difficult to monitor the attack surface and defend sensitive IT and data assets. On the federal side, the protections required by CSPs are governed by the FedRAMP process which is plagued by slow approvals and errant submissions by CSPs.

The Federal Information Technology Reform Act is also a risk management tool for federal officials as it begins to “Provide appropriate visibility and involvement of the agency CIO in the management and oversight of IT resources across the agency to support the successful implementation of cybersecurity policies to prevent interruption or exploitation of program services.” My recent interview with Richard Spires, the former CIO of DHS, provides further insight into FITARA and how adaptive defenses can provide a good investment for achieving cybersecurity goals.

In my opinion, there are four drawbacks of the NIST approach:
1. The NIST methods are ultimately constrained by the enterprise budget allocated to cybersecurity. Therefore, high priority gaps that reflect costs which consume a disproportionate amount of the budget are often broken into multi-year chunks or at worst continually deferred. Therefore, the resulting investment decisions can lead to less than optimal security posture for an enterprise.

2. The NIST approach doesn’t provide any good rule-of-thumb for determining the allocable portion of the budget for cybersecurity or provide any fine-tuned methods or metrics for identifying high priority security gaps. Often many of the so-called gaps found in the RMF process get inflated to higher impact levels thereby making discernment of investment decisions very difficult. My experience has shown that many enterprises invest up to the level of their “competition” but this may not be the best yardstick for everyone, especially since IT budgets or expected losses may differ widely. Federal agencies don’t really operate under competitive pressure either, so a different yardstick is needed for government agencies.

3. The NIST risk estimation method takes into consideration the value of information to the enterprise and for sustaining mission operations; however, it doesn’t really take into account the value of information or computing resources from an attacker’s perspective. That is, what is the value to the attacker of the assets in which an attacker is targeting, what is the “kill chain” of assets that an attacker will try to compromise to reach his or her target, and how will the attacker “monetize” or otherwise take advantage of the effects of his or her attacks? This threat-based perspective could lead to a different set of cyber investment priorities than a requirements gap approach typically favored by the NIST frameworks.

4. Although continuous monitoring is a key tenet of RMF for identifying gaps in the security posture and determining the resulting risk exposure, significant challenges still remain to adaptively manage risk due to the entropy that is constantly churning the cyber environment. This disorder arises through a variety of factors:

• the growing complexity of attackers’ TTPs and their ability to adapt to new defensive measures [fileless attacks are an example of this growing complexity and adaptation),
• the time and location shifts that occur relative to the value of assets that change the risk and protection patterns (M&A activity is an example of this change in risk and protection patterns),
• changes in the strength of protections (quantum computing is a good example of this change as to how it affects the future of cryptographic protections),
• the introduction of new business and technology models (e.g., BYOD, IoT),
• the increasing complexity of managing protections and mitigating threats and vulnerabilities due to increased number and interdependencies of tools, endpoints, policies, and volume of data to manage,
• the unpredictability of vulnerabilities (zero days).

So what other approaches can be adopted to gauge the needed investment in cybersecurity while addressing some of these shortcomings (at least in my estimation)? In my quest to answer this question and my questions introduced earlier, I came across several interesting efforts or research of note which I briefly highlight in my next article. I will also dive further in depth on some of these discoveries in some upcoming interviews with researchers, vendors, and federal leaders who are also pursuing answers to these questions regarding the economics of cybersecurity.