Many readers know this already, but about five years ago (long before I came to Forrester) Dan Geer, Kevin Soo Hoo, and I founded an organization called securitymetrics.org, devoted to the study of security metrics.
I moderate a mailing list that has about 800 security researchers, CISOs, consultants, and managers. Discussions are always lively
One of the list’s most active members, Meritology’s Russell Cameron Thomas, just posted a thoughtful essay on how to value information assets.
I liked his post very much. Russ describes an eminently sensible way to calculate business asset value. At the risk of being reductionist, it involves:
1) figuring out the value of those assets that even the coldest-hearted business analyst would agree contribute to the top line and
2) then figuring out the value of everything else. The sum of those two numbers is the total value.
In practice, though, the assets in the first category (the cold-hearted analyst’s favourite ones) are also the scarcest. A key question would be, “did you build security into the business effort this asset serves from the start, because it was critical to customer acceptance?” I can think of exactly one example of this in my entire career where this is true. Everything else has been some flavor of bolt-on.
Because security-as-business-enabler sightings are as rare as the Abominable Snowman, that means just about everything defaults into category #2. As such, to me, the easiest way to value those assets is to apply what (if I remember correctly) was Pete Lindstrom’s test: the value of the asset must be worth at least what you are willing to spend to keep it secure.
Lindstrom’s Razor (if I can call it that) identifies a floor value of the information. It doesn’t require interviews or any sort of guesswork, just a spreadsheet and a few defensible ideas about how to allocate costs that are known and can be measured.
In my book, “Security Metrics: Replacing Fear, Uncertainty and Doubt,” I recommended a similar strategy for quantifying and allocating security cost:
Tying back security costs to business units or revenue-generating systems is more difficult. Cost allocation is, for most organizations, a black art. In fact, given the degree of political wrestling that occurs when figuring out chargeback formulas, one might more profitably call it a full-contact sport. Regardless, security organizations should try, to the best of their abilities, to associate specific expenditures with business initiative.
Certain security costs are easy to allocate, such as outsourced security monitoring services for a demilitarized zone, single sign-on systems (SSO), application monitoring tools and external audits:
- Outsourced security monitoring services for a demilitarized zone (DMZ). (Strategy: pro rata allocation based on user sessions or bandwidth)
- Single-sign on system (Strategy: pro rata allocation based on deployment of SSO agents on business servers, plus labor allocation)
- Database and web application monitoring tools/firewalls (Strategy: chargeback of per-agent software costs, plus labor allocation)
- Intrusion detection
- External audit fees and consulting: (Strategy: direct chargeback if audit is for a specific application; otherwise, pro rata allocation based on issues found)
Other costs may be more difficult to allocate, especially those that are incurred by all members of the organization. Security awareness, training and coordination costs, for example, don’t obviously relate to specific business initiatives; neither do directory synchronization and maintenance tools, anti-virus or other ubiquitously deployed security software.
In these cases, it might be best not to allocate them at all (thus relegating them to everyone’s favorite nebulous category, “infrastructure”). Alternatively, if costs have clear and obvious per-employee expenses (such as anti-virus), then pro rata allocation to each business unit based on headcount represents a fair and transparent method.
Ultimately, nothing I write or say is going to settle the argument of how to value all this intangible stuff.
If you have the time and discipline, Russ’ approach is a good one. But if you don’t, use the ’Razor to calculate the floor value of your information assets based on what you are spending to protect them.