I’ve seen a couple of folks write about value and infosec recently. It is a very intriguing and difficult subject and it dovetails into a subject that I’m chewing on right now - metrics.

The first post is from Michael Dahn and it’s entitled, “Does PCI affect the bottom line?” Now PCI, for better or for worse, is here to stay. And if you’re not one of the lucky “self assessment” folks who can get away with a few scans and a questionnaire, PCI is teh 5ux0r. It’s a task that would make Sisyphus feel like he got a pretty good deal. To make matters worse, not only are we asked to perform this herculean task - but our superiors have the absolute right to question the validity of the task. From Michael’s article:

Robert Fort, director of IT at Virgin Entertainment Group Inc. in Los Angeles… contended that meeting the requirements doesn’t boost a retailer’s bottom line. “There’s no direct return on investment,” he said. “It will not help us sell CDs.

Let me let you in on a little secret. When Robert Fort says the above comments - he’s not talking about PCI. Nope. What he’s really talking about is InfoSec in general. How do I know? Easy. Because if Mr. Fort was comfortable with his investment in InfoSec in the first place, his quote would be tempered, something maybe to the effect of:

PCI returns little value in loss or risk reduction over our existing risk management program outside of reducing the potential fines and judgments the card industry would levy against us if we weren’t compliant and an incident occurred.

Or something like that. Thing is, I can’t blame a person in Robert’s position if they feel like they’re being held hostage by someone else’s risk tolerance. And nobody’s given Robert a useful tool or framework to tell him $X amount of security spending in Y areas of the ISMS will result in some value statement, Z.

Now Michael’s answer to Mr. Fort is to attempt to tie the value of PCI to possible reputational damage. I think that’s part of the equation, but not the full answer. I see two ways to really answer Robert. Let’s discuss them briefly, shall we?

APPROACH ONE : TIE THE VALUE OF AN ISMS TO DISCREET ASSETS

I thank years of BCP/DR for this approach. It’s a pretty good premise - Asset 172.0.0.1 supports the production of widgets. We produce $W amount of widgets in a year - so therefore 172.0.0.1 there inherits some portion of $W.

The problem with this approach is that 172.0.0.1 there is only one of several assets that support the production of widgets. So coming up with the portion of $W that 172.0.0.1 is worth is, well, problematic.

APPROACH TWO : TIE THE VALUE TO RISK OR LOSS REDUCTION

This approach can be even more problematic. It involves understanding what risk is, what risk management is, what your risk management capabilities are and expressing value as a probability function. Once you get past those hurdles this approach is the shizzle. It allows you to tell the Robert Fort’s of the world that $X amount of security spending in Y areas of the ISMS will result in $Z amount of loss reduction or reduce the risk of losing $N amount over the next 18 months by P%. Something they can get ahold of and chew on, and use to begin to bridge the gap between the payment card industries risk tolerance and his own.

WHAT’S THIS GOT TO DO WITH METRICS?

You’ll just have to tune in tomorrow, sorry.

Posted on June 18