Two hikers are running away from a bear and climb a tree, but the bear starts climbing after them. The first guy puts on sneakers from his knapsack. When the other guy asks him what he's doing, the first hiker says: "When the bear gets close, we'll jump and make a run for it." The second guy says: "Are you crazy? You can't outrun a bear." "I don't have to," says the first guy, "I only have to outrun you."
Can you blame executives for feeling that IT security strategy has become a sneaker arms race? In the end, only the sneaker manufacturers are winning. The real problem, the bears, are breeding unchecked.
In the early 90s, antivirus was enough. By the mid-90s, you needed expensive firewalls. A few years later, management had to spring for IDS to be secure. And who can forget the glory years when PKI infrastructure was the answer?
Yet, faced with a board that asks: "Are we secure?" can the IT executive confidently answer that all this innovation and investment has paid off?
U.S. GDP growth has been led through technology-driven efficiencies of "better, faster, cheaper." If you accept capital markets' theory that risk and return are indivisibly linked, it begs the question, what risks were incurred through obtaining the benefits of all this technology?
What's critical in managing executive perception is establishing in their minds this linkage of risk and return relating to technology.
There are more risks in technology than just loss of capital. However, given the Standish Group's CHAOS report that just a third of IT projects are successful, and 16 percent get cancelled before they reach completion, you can understand management's tunnel vision on this single risk factor.
The axiom "complexity breeds vulnerability" has been around in security circles for a long time, but what is less well understood is that the homogeneity of the building blocks of complex systems increases risk.
It is certainly more efficient to have only one build, one OS standard, and so on. Even if those standardized blocks are more secure than a set of varying components of similar function, the actual impact of a failure, or exploitable vulnerability, is magnified through the sheer number of "eggs in one basket."
Risk management comes down to a decision whether to accept, invest in mitigation, or assign the business impact of a risk (insure). The process is the same for security risks as it is for more familiar risks such as environmental factors.
Where we as security professionals can do a better job is in linking the risks to the "returns" being reaped from technology.
Executives understand that they need to risk capital to make a return, but do not always make the connection that technology introduces risks beyond the loss of the investment.