How much security is enough?

“Reasonable security” is not clearly defined in any regulation or set of best practices, since its definition is subjective. Gartner research director Rob McMillan explains why it is best to adopt a risk management — not a compliance —approach to demonstrating due care.

Provision of adequate information security is a corporate and government agency obligation. However, a standard to measure how, and if, this obligation is adequately addressed remains elusive. The legal community has been searching for a standard, as well as the associated qualitative and quantitative (for example, spending) benchmarks, by which they can measure (or litigate) whether a chief information officer (CIO) or chief information security officer (CISO) is exercising due care. Gartner’s view is that because of the technical and business complexities involved, no legislation will adequately define due care in information security through 2020.

CIOs and CISOs often ask questions that can be roughly summarised as, “How much security is enough?” In these situations, the people asking the question are often trying to make a case that their security is adequate, or alternatively, is based on either or both of the following:

•    A level of expenditure that matches or exceeds an industry average, such as the figures reported in Gartner’s annual IT Key Metrics Data. However, there are many factors at play, such as variations in risk appetite, whether you are paying way too much for your infrastructure or whether you are paying your staff too little. •    A maturity level expressed within the context of an information security framework, such as Gartner’s ITScore for Information Security. But while there is a correlation between program maturity and security, maturity alone does not tell you whether your security is adequate.

If a court, for example, assesses the adequacy of your security program, then it is likely that some variation of a reasonable-steps test will be applied, depending upon jurisdiction (that is, what a reasonable person would do under the same or similar circumstances).

Such a test is used broadly, and it is possible several variations of it may be applied in any one particular circumstance, depending upon the regulation or case law that applies.

The problem for many practitioners is that the notion of what constitutes “reasonable” steps is imprecise, highly dependent on circumstances and changes over time.

Compliance to an industry standard or satisfactory third-party audits may help mitigate consequences, but may not be a replacement for doing everything that is reasonably needed to avoid damage to the organisation or, indeed, to others.

The bottom line is there is no prescriptive document any organisation could follow that will give complete assurance all reasonable steps have been implemented, and that the standard of due care in a particular circumstance has been met. Each organisation must evaluate its own particular circumstances, and take into account a number of factors to make an informed judgment about what is “enough.”

Focus on managing risk, not compliance

Compliance with regulation is important, but CIOs and CISOs should repudiate any argument that compliance alone is sufficient.

There are many reasons why laws do not attempt to specifically define security due care.

Prescribing solutions for all cases, industries and organisation sizes is impossible and technologies change rapidly.

Furthermore, most legislation is local or national, but many companies operate internationally. International laws evolve even more slowly than national laws, and different national laws that recommend specific technical standards most likely vary by country.

Next, because the threat environment rapidly changes, any definition of “good enough” is temporary. Finally, different organisations have different risk affinities that relate directly to their corporate cultures and business strategies.

Defining reasonable security in the absence of widely accepted standards is difficult. Unfortunately, the marketplace offers a confusing array of security-related standards. Some address industry-specific requirements or regulatory requirements. Various government agencies, such as the U.S. National Institute of Standards and Technology, produce security configuration standards that are highly regarded and used widely in the government sector and, sometimes, the commercial sector. There are technical standards, such as Web services security, Secure Sockets Layer and encryption standards, and emerging standards and guidelines for newer technologies, such as cloud computing. Compounding the problem is that, although official standards may exist, they may be implemented inconsistently among vendors. Often, products use proprietary methods that become de facto standards.

When it comes to information security practice standards, the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission’s (IEC’s) ISO/IEC 27001:2013 provides guidance on how to develop an information security management program, not just a set of controls, that’s tailored to particular circumstances. It is complemented by ISO/IEC 27002:2013, which discussed the array of controls that organisations may consider, ISO/IEC 27005:2011, which provides guidance on risk management relating specifically to information security, and ISO/IEC 31000:2009, which provides guidance on risk management more generally. Earlier versions of these standards were the first steps in what has become an almost globally accepted requirement to manage information security as a risk discipline.

The key point to understand is that the guidance documents mentioned earlier are just that — guidance. Following these documents may be necessary, but not sufficient. Likewise, getting certification for the standard may be necessary, but not sufficient.

A strong security program is based on effective management of the organisation’s security risks. A process to do this effectively is what regulators and auditors look for.

How to assess your risks

Each organisation must comprehensively assess its risks for potential damage to both the organisation itself and to third parties, and apply all reasonable steps to reduce the risk to an acceptable level. Be specific, and record your risk profile in some form of risk register. Failure to do so may leave the officers responsible for the organisation exposed to claims of negligence, particularly, following a serious security breach.

Any consideration of negligence typically follows a very clear structure with distinct elements. While this is often the domain of legal counsel with relevant expertise (and fodder for discussion in the media), IT and risk executives must ensure they understand how an external party would assess the efficacy of the organisation’s controls in its security risks. This general model gives rise to the following questions that are specific to the information security discipline.

What is the harm that can result from security failure? Consider both the potential damage (financial and otherwise) to your own organisation, and also the potential damage to others, including your employees, contractors, partners and others.

What is the likelihood of failure? As a general proposition, the growing list of failures in systems suggests that the likelihood of security failure in most environments is high. Ensure that you identify the potential threats to your organisation, and model how those threats may act and what the outcomes may be.

Is the failure a reasonably anticipated risk? Reasonable foreseeability does not require that a reasonable person must know how an adverse outcome may occur, only that the outcome is a possibility.

Does the cost of the remedy outweigh the impact of the risk? Organisations must assess the affordability of security technologies, procedures and techniques against perceived threats, in comparison with the value of the assets under protection or the rewards being pursued. The expense of not implementing adequate security can be the cost of mitigating a security failure, such as cleaning up a viral outbreak, or revenue or productivity loss because of unavailable systems or loss of consumer confidence. Fines under various federal and state laws, as well as judgments in civil legal actions, can result from insufficient security investments.

Gartner surveys have found that organisations generally spend 3% to 7% of their IT budgets on information security. However, there may be good reasons for spending more or less, and organisations should investigate expenditures relative to their peers, as well as their own risk profiles, to determine whether they are spending too little, too much or just enough.

Seek an independent assessment of reasonable steps from an auditor. Auditors can help focus management attention on control weaknesses that may have been neglected (for example, due to an erroneous assumption that they are low priority) and, therefore, require resources and management mandate. Separation of duties is a classic example of a control that is often an exception or an accepted risk due to lack of resources.

Above all, recognise that a continually changing notion of what constitutes reasonable demands regular reassessment. There will be changes in technology, prevailing industry practice and public expectation. Track changes relevant to your situation, recognizing that external expectations may be imprecise and subjective, and will continually change over time.

(Rob McMillan is a research director for security and privacy at Gartner)