Computer geeks love their acronyms. Here’s one more: TANSTAAFL. There ain’t no such thing as a free lunch. No, I’m not talking about the grilled Alaskan salmon meal you got while playing on your phone instead of listening to the vendor pitch. I mean that if we want better security, someone has to pay for it. And it’d be better for all involved if that cost was made clear to everyone, especially those footing the bill. But a lot of that cost is pushed around instead of paid by the person eating that lunch.
Here’s what I mean: the security scan turns up a bunch of holes, generates a report, the security team hands it to IT to patch all those systems. Congratulations, the security team has now completed a tiny sliver of the real work needed to be done. Just applying a single patch in a running business can involve investigation, testing, integration, and downtime. And that’s assuming the patch works as advertised and doesn’t break anything.
Every time a risk is discovered, it creates work for someone. Here’s another one: an intrusion detection system matches a signature and raises an alarm. A human must verify it, investigate it, analyze it in the context of the organization’s needs, prioritize it, and then hopefully mitigate it.
How many of our existing security tools are designed around generating enormous amounts of risk vouchers that someone else has to redeem with hard work? It’s no wonder that the new generation of security tools and services are built to automate this. But tools like this are like a towel thrown down below a burst pipe.
Think of all the other security “costs” we push out for the users to deal with: attending anti-phishing training, managing multi-factor tokens, using specialized secure file transfer tools, guarding their laptops when they take them anywhere outside the office, and changing all their passwords when a breach happens. Security labor for the end user just keeps piling up.
Security costs can go against security just as well. A common occurrence is a business unit rolling out a new service or application that introduces a new risk that the security team needs to scramble to manage. Or an empowered user (usually an executive) insisting on doing something a certain way that puts everyone else at risk, like using a cool new IoT 3D video system with hardcoded admin: admin credentials. How about when development and security are so segregated that applications are built or acquired and then handed to the security team to “just add the security so we can deploy this.” None of this seems fair.
There is an economics term for this: an externality. An externality happens when one party receives benefits by pushing the costs to another. Within a closed system, such as an organization, the costs and benefits are supposed to balance each other out. However, I’ve worked within organizations all my life and I can tell you: when one department benefits while another pays for it, people rarely comply with smiles on their faces, even if it benefits the company as a whole. Someone’s taking a budget hit or overworking their team to comply. The result is friction, delay, and carelessness in doing a task foisted upon them. This translate to inefficient and ineffective security mitigation.
There’s another problem with this. In systems theory, it’s called “shifting the burden,” and it can have long-term magnifying consequences. Shifting the burden farther away from the source of the problem can make the problem harder to find and fix. Like the towel under the leaking pipe, it’s alleviating the symptoms, but it hasn’t done anything to stop the ongoing leakage.
Worse, it could mask the impact enough that there is a delusion that the problem has been solved. Just patch the system instead of building or finding more securely-built software. We train and drill people not to click on phishing emails but rarely look at reducing their access privileges so that a single mistake doesn’t compromise the whole enterprise. Short-term relief wins over long term reconsideration of the entire system. It’s cheaper in the short run and we’re always in a hurry.
How can we avoid shifting the burden? One way is for the organization to divest the security team of sole custodianship and embed security into the culture across the entire enterprise. The security office can act like the doctor’s office: you visit for routine checkups and occasional health problems, but we’re each responsible to eat right, avoid toxins, exercise, and get enough sleep. This cultural shift isn’t easy and requires sponsorship from the very top of an organization.
An effective way to begin this journey is to quantify those externalities that are being shifted around so management can see how cost is being accumulated and wasted. By “privatizing” the ownership of the risk, business units can manage their own risk and associated costs. The security team sets the standards, per compliance and reasonable expected practices, and monitors the overall risk level.
There would be certain risks, such as exposure or corruption of critical data and services, that must be mitigated. Other risks, such as availability, could be optionally mitigated based on business needs. For example, some business units may not want to pay for DDoS mitigation if they don’t care if their site goes down. This could even go further into a “cap and trade” style system where departments that reduce their risk load organizational thresholds could receive credit towards unneeded controls.
If this sounds familiar, it’s because it’s how IT chargebacks and expenses evolved within most organizations. It is worth noting that cost regarding IT and IT risk do not necessarily correspond. A business unit could leverage a large technical deployment with far less risk than a smaller one. For example, a giant database running a secure cloud environment may be less risky than a handful of vulnerable IoT devices accessing confidential data.
If implemented transparently, which promotes fairness, it can be a way to reduce security costs at the source of risks. By moving this cost closer to the source, it creates a stakeholder incentivized to reduce the risk or drive down the cost of the mitigation. Putting the cost of additional security directly on the business unit is already happening at different levels of maturity across industries. It’ll be far from perfect and a bumpy ride to get there, but it’s better than shifting burden with invisible externalities.