I just saw Sergey Bratus’s talk at TROOPERS 10. He’s an interesting guy, and his talk was good. He’s a CS professor at Dartmouth, and he’s actually making an effort, on behalf of the academic community, to inject some genuine security clue into the education of CS students. He obviously has a tough topic to address, but he looks like he’s on the right track to me.

One thing he pointed out is that a lot of vulnerabilities over the years have actually resulted from the accidental creation of Turing-complete systems. (He has a nice Cthulu slide making the point.)

It struck me that one goal of “secure programming” would be the avoidance of the creation of Turing-complete systems. It’s a crazy world when it’s harder to avoid the creation of such a system than it is to actually create one.

Anyway, Marsh and I are speaking in a couple of hours. If you’re here, come by and bring your rotten tomatoes!

Security budgets are often based on combination of last year's spending, this year's threat du jour(s), and "best" practices, i.e. what everyone else is doing. None of these help to address the main goal of information security which is to protect the assets of the business. The normal security budgeting process results in overspending (as a percentage) on network security, because that's how the budget grew organically starting from the 90s. 

A simple three step process to achieving a Security Budget that maps to business reality rather than security silver bullet fantasies is as follows:

Step 1. Gather the relevant data for where the enterprise is investing its dollars in IT. Let's assume our company is Jones Widgets.

Step 2. Apply a "flat tax" for security budgeting, for this example let's say 7%, so if Jones Widgets invests $5M in its Customer relationship systems, $2M in Order Management, and $1M in ERP, this is the starting point for assigning priorities on security budgets. This is the part that security people miss, you don't need to do asset valuation - there is a whole group of people in the business that have already done that for you. Your job is to enable the intent that they have already clearly communicated in budget decisions. 

So applying the flat tax, our Jones Widget's budget look like this

Notice that the starting point in this step is aligning the budget with overall Enterprise IT spending. Its not based on whatever area that infosec happened to invest in last year, or what someone at a conference said, its about starting by aligning with what your business values. Its not about security foo-fa-ra, its about Jones Widgets.

Step 3. Efficacy. Let's assume that the Customer Management and ERP systems are behemoth packages that are purchased third party apps, and the Order management system is built in house so you have the source code. The way that you choose to deliver security to third party purchased systems versus the ones where you design, build, and deploy the code will vary. So the next step after initially rationalizing the budget is to assess what's the most effective security I can get for each area. 

Its not that the business budget should trump the infosec budget, but its a very useful starting point. Moving off of those priorities should require a statement of efficacy that some security dollars are better spent in say the Order Management system, because the company controls the code. So if Jones Widgets' Order Management system is built in house, and the business relies on that to process orders, if that Order Management asset is compromised then its not like Jones Widgets can go and buy another Order system off the shelf from a vendor. Its their core business, their DNA.

So let's assume that Jones Widgets wants to scan its code, invest time in threat modeling and so on for its core business asset. This results in pulling 20% in from the ERP and Customer systems

There's no need to get wrapped around the axle on asset valuation, the business gives you a starting point, use it. Then only move away from that when you can make a concrete case on improving efficacy by altering priorities. Or put another way - its your job. Do it.

I just saw Sergey Bratus’s talk at TROOPERS 10. He’s an interesting guy, and his talk was good. He’s a CS professor at Dartmouth, and he’s actually making an effort, on behalf of the academic community, to inject some genuine security clue into the education of CS students. He obviously has a tough topic to address, but he looks like he’s on the right track to me.

One thing he pointed out is that a lot of vulnerabilities over the years have actually resulted from the accidental creation of Turing-complete systems. (He has a nice Cthulu slide making the point.)

It struck me that one goal of “secure programming” would be the avoidance of the creation of Turing-complete systems. It’s a crazy world when it’s harder to avoid the creation of such a system than it is to actually create one.

Anyway, Marsh and I are speaking in a couple of hours. If you’re here, come by and bring your rotten tomatoes!

Security budgets are often based on combination of last year's spending, this year's threat du jour(s), and "best" practices, i.e. what everyone else is doing. None of these help to address the main goal of information security which is to protect the assets of the business. The normal security budgeting process results in overspending (as a percentage) on network security, because that's how the budget grew organically starting from the 90s. 

A simple three step process to achieving a Security Budget that maps to business reality rather than security silver bullet fantasies is as follows:

Step 1. Gather the relevant data for where the enterprise is investing its dollars in IT. Let's assume our company is Jones Widgets.

Step 2. Apply a "flat tax" for security budgeting, for this example let's say 7%, so if Jones Widgets invests $5M in its Customer relationship systems, $2M in Order Management, and $1M in ERP, this is the starting point for assigning priorities on security budgets. This is the part that security people miss, you don't need to do asset valuation - there is a whole group of people in the business that have already done that for you. Your job is to enable the intent that they have already clearly communicated in budget decisions. 

So applying the flat tax, our Jones Widget's budget look like this

Notice that the starting point in this step is aligning the budget with overall Enterprise IT spending. Its not based on whatever area that infosec happened to invest in last year, or what someone at a conference said, its about starting by aligning with what your business values. Its not about security foo-fa-ra, its about Jones Widgets.

Step 3. Efficacy. Let's assume that the Customer Management and ERP systems are behemoth packages that are purchased third party apps, and the Order management system is built in house so you have the source code. The way that you choose to deliver security to third party purchased systems versus the ones where you design, build, and deploy the code will vary. So the next step after initially rationalizing the budget is to assess what's the most effective security I can get for each area. 

Its not that the business budget should trump the infosec budget, but its a very useful starting point. Moving off of those priorities should require a statement of efficacy that some security dollars are better spent in say the Order Management system, because the company controls the code. So if Jones Widgets' Order Management system is built in house, and the business relies on that to process orders, if that Order Management asset is compromised then its not like Jones Widgets can go and buy another Order system off the shelf from a vendor. Its their core business, their DNA.

So let's assume that Jones Widgets wants to scan its code, invest time in threat modeling and so on for its core business asset. This results in pulling 20% in from the ERP and Customer systems

There's no need to get wrapped around the axle on asset valuation, the business gives you a starting point, use it. Then only move away from that when you can make a concrete case on improving efficacy by altering priorities. Or put another way - its your job. Do it.