Ever tried to sell someone on the value of a network monitoring or vulnerability scanning solution? Fun and games isn’t it. Conversations typically go something like this:
“Why do we need it?”
“Because we don’t know what we don’t know about network config issues, website vulnerabilities, software at risk, and attacks on the perimeter and internal network”
“We need it to help protect us against cyber-attacks and minimise the risk that viruses will hurt us”
“Ohhhh, so it will stop cyber-attacks and viruses?”
“But you said…oh never mind. What will it do?”
“It will plug into our firewalls, websites, servers and other networked kit then extract and consolidate build information, version details and logs so we can identify security holes and suspicious activity”
“I’ll take your word for it. How soon after its installed will I know what needs to be fixed”
“Wellll…first we have to do all the connections. Some devices belong to hosting partners and other third parties so that could take time and get sticky. Then we need to configure it to amalgamate the logs into a standard format to facilitate reporting. Then, when we switch on monitoring with a default set of parameters, we need to review initial output, work out what our benchmarks are for suspicious activity, then tune it over time to minimise false negatives and false positives”
“………….? How soon after its installed will I know what needs to be fixed?”
“About 12 months”
“12 months!? I need ROI on spend in 12 months, not basic evidence things are up and running!
So, let me get this right, after 12 months it will start to protect us against cyber-attacks and viruses?”
“Seriously!? What DO I get for my money?”
“You get a picture in 12 months of vulnerabilities in the estate, attempted attacks and successful attacks, but it can take up to 6 months to confirm the reliability of the data feed, assess trends and agree standard benchmarks for what constitutes a critical vulnerability”
“Hold on a second. 18 months?! 18 months until you can start to fix the things you find that are broken?”
“Actually…after 18 months we can liaise with IT and risk teams to propose investment for board sign off, then, if successful, IT can get fixes in place”
“And how long will that take?”
“Difficult to say”
“You cut next year’s BAU IT budget”
“Give me strength! Let’s say funds ARE available and recommended fixes have gone in, THEN we won’t have any more cyber-attacks or viruses breaking through, right?
“We can’t actually prevent cyber-attacks because……can you stop looking at me like that, you’re scaring me”
“Go on then, tell me, what CAN you do!?”
“We can reduce the number of successful attacks and infections and if you authorise some investment for an extra FTE or so for the incident management team, we can make sure we minimise the impact of the ones that do get past us.”
“Reduce? Let me get this right. You’re going to spend an inordinate amount of money on some kit that will take 18 months to tell me anything useful, then you’re going to want more money to fix problems found and you’re still only going to REDUCE the number of successful cyber-attacks and infections. Then I have to fork out yet more for you to mop up the fallout from the stuff you can’t stop? REALLY?!
Remind me, how many successful attacks and infections have we had in the last 6 months that have cost us any significant money or got the attention of regulators? ”
“So why, in the name of all things holy, do you think I’d want to sign this off?!”
“D’you know, I’m not really sure anymore”
“Well that makes two of us. Consider it shelved. I’ve got a tight budget and things with a far easier to prove ROI to spend it on”.
How storytelling, cut through with some pragmatic IT security risk input, might change this conversation:
“We need to make some changes to our security infrastructure. We’ve spent a long time securing things as we go along, with a limited budget, while dramatically increasing our internet exposure. At the same time more people have more means, motive and opportunity to have a go at us. It’s time to take a proper look at where we are security-wise, get on the front foot to deal with new threats and deal with any legacy vulnerabilities.
“Are you saying you haven’t been managing these risks all this time?”
No, but there’s been too much change in the network to keep a handle on everything. You and I both know IT hasn’t exactly rushed to engage us when being pushed to deliver something. When you factor in the changing external threat landscape, we’ve got to take stock.
At the moment it’s like predicting the weather with the TV off, no internet access and the curtains closed. We know there’s a risk of leaks and rising damp, because the place is pretty old, but we don’t know exactly where or when problems will happen.
We don’t want to be running round trying to find buckets when a storm hits, then re-plastering everything afterwards. We need to be proactive. Do an expert structural survey, plug the big holes, keep on top of developing problems, monitor for news of bad weather and have the buckets standing by if something does break.
Basically, I want to help you budget for a sensible amount of security to minimise your risks. To know what’s sensible we have to know where we’re starting from.”
“So we get the experts in to sort it out?”
“For some of it, but don’t confuse the specialists with the cowboys. The minute you make it known you’re interested in this, someone is going to turn up and tell you the whole roof needs to be replaced.
We don’t live in the flood plains of the River Severn. Threats big enough to get past good solid defences are rare. You’ll waste money and start to impact people’s ability to get the job done if you lock the place down too tight. Trust your SMEs on this, we know the environment.”
When we’re done, the odd thing will still break, but we’ll spot it and start minimising impact faster”
“Sounds sensible, but when do I get my report on fixes needed?”
“It’s going to take about 12 months”
“12 months!? I need ROI on spend in 12 months, not basic evidence things are up and running!”
“It’s not just a 3 bed semi we’re dealing with here. It’s more like a small town, plus a few suburbs worth of walls, doors, windows and roofs to get to and check. That’s why it takes so long to roll out, but once rolled out, you never need to do that work again, we’ll have centralised sight of it all”
“It’s starting to sound costly. Are we spending more than our competitors on this?”
“No, this isn’t gold plating; it’s shoring up old foundations. If you moved into a 400 year old house, you’d expect to have unusual and cumulative maintenance problems (and believe me, in IT terms, some of your network is that old), especially if the place has been extended beyond all recognition, often on a shoestring and without much respect for building regs.
If we’d had the means and sponsorship to do these checks regularly from day one, we wouldn’t need to spend the money now. Think of it as bringing the place up to spec to withstand increasing annual rainfall and some risk of flooding. That’s roughly what’s happening with internal and cyber threats at the moment. Problems are more likely and increasingly hard to deal with.”
“Ok, that all sounds rational, but I can’t talk for the rest of the board. What’s in it for them?”
“You mean apart from it dragging us into line with our peers, significantly reducing the potential fallout from incidents and minimising the chance of fines? You do know regulators will throw the book at us if something goes wrong and they find out we did nothing about known control weaknesses?”
“All fair points, but we’re talking about a limited budget here. One I can invest in things with an easier to prove ROI. I’m just being realistic about the challenge overhead spend is going to get right now”
“I know and this isn’t about security at the expense of profits. It’s necessary capital spend to save effort and pain for the foreseeable future. Come to think of it, haven’t you got some beauty contests with big potential clients coming up? They worry about cyber-threats too. They’ll want robust assurances about our defences and evidence to back it up. Security sells, just like newsworthy data breaches and regulatory penalties kill deals”
“Ok, get some slides together and give me a sensible breakdown of costs and benefits. We might not secure the funds straight away, but I can help you manage expectations. If we warn them and they refuse to check the forecast, or look for holes in the roof, they can’t complain if it rains and the ceiling comes down, can they.”
Simplistic? Maybe. Familiar? Probably.
This is my entirely personal take on some of the tensions that can exist between security specialists and budget holders, informed by 13 years in the IT and InfoSec trade. Vendors in this space and those shopping, shouldn’t take my implementation estimates too much to heart. Despite using some artistic license, I’ve hopefully shown how a good story can help break down tough communication barriers, barriers that have been around in the industry for a long, long time.
The Analogies Project was founded for that purpose. Contributors are experts in a range of different fields, all coming at this from their own unique angles. All donating their work to help others clear the technical fug that often obscures the value-add in much of what we do. It’s not all stories, there are a range of exciting initiatives the project has on the boil.
If you are in need of inspiration maybe check it out. Or perhaps, if you have your own creative ways to get your InfoSec messages across, you might like to become a contributor. If so, just let Bruce Hallas (founder and curator of the project) know. He’s always on the look out for new talent.
About the author
Sarah Clarke has 13 years of experience in IT and information security and currently manages the supplier security assurance function for a FTSE 100 insurer. A recent move from a pure IT and InfoSec risk focused role.
After a degree from Edinburgh University and an early career in sales and customer service, she stumbled into IT by taking a job on a helpdesk. Reportedly not a resounding success because too much time was spent looking into interesting problems instead of taking calls, but it did convince her she was suited to IT. Since then she’s been (amongst other things) a desktop engineer, IT support manager, network administrator, network security consultant, IdM solutions consultant, information security consultant and compliance manager.
Now a contributor to The Analogies Project. A new initiative to demystify InfoSec and help everyone keep their valued data safe.
You can also follow Sarah on Twitter