The value of risk organizations
How do we approximate the amount of resource we allocate for security? In this essay, we’ll cover some principles before the quant.
Let’s start simple:
- What risks does the organization face?
- How might the security team reduce these risks?
- Were the associated costs worth the reduced risks?
This approach might sound familiar and reasonable. It’s flawed. We’re now cursed with an organization using a perspective on risk from the late 1800’s that will fund a fledgling security organization.
This essay hopes to provide tools to inspect this gap we’ve created with this mindset.
Three sources inspired this essay: Imposing Risk, The Poison Squad, and its associated documentary.
This simple categorization will start our discussion. Direct risk and Imposed risk:
Direct Risk: When we face the impact from a risk event.
Imposed Risk: When others face the impact from a risk event.
Direct risk has a simple impact to our bottom line. How much bottom line impact we avoid can justify the existence of a minimal security organization. If a CISO believes a $5m annual budget will turn $100m of incident costs every four years into $50m of incidents every six years, they have demonstrated the value of a $5m budget by saving $11m annually. ($100m / 4yr = $25m/yr > ($50m / 6yr) + $5m = $13.3m/yr).
Security organizations do not often ask for budget like this, but in all cases there is a sense from leadership that some risk mitigation is happening underneath.
Additionally, security makes money. These opportunities are best seen in enterprise B2B SaaS. Investments in security avoid lost revenue from deals. Security is often involved in sales conversations, questionnaires, compliance states, contract language, marketing collateral from blog posts, etc. It’s for these reasons we wouldn’t want to fully replace a security organization with a strange insurance policy that just insures the risk. A security organization is both mitigating risk while also helping a product.
These were direct risks, consisting of costs and opportunities.
- Costs are the clear expenses that result from a bad day. Avoiding bad days is an upside that funds security.
- Opportunities are the upsides that may attract good outcomes for a business by having good security, and funds security.
We lose money if we don’t avoid costs or seize opportunities. Having some investment in security is beneficial for avoiding those costs and profiting from some amount of opportunities.
The concept of “direct” versus “imposed” risk.
Imposed risk has nothing to do with our own losses. It’s about the consequences to others. Example:
We have a chance of injury in a car accident when we get on the road. That chance is very small. We hop in the car and drive to work if we believe this to be true. That’s the direct risk. We might be personally harmed if we got in an accident. We expect that to be unlikely.
We also put others at risk in our commutes. We hope this risk is very small. It’s possible we are not harmed in an accident but others are. The probability and impact of harming someone else is the risk we impose on others as a result of our actions whether we are at fault (or even know it happened).
Example: We are imposing some risk on others if we are driving safely, and even more risk if we are driving drunk.
Simple. The decisions we make have a direct risk (to ourselves) and imposed risk (on others). Imposed risk measures the possibility of consequences suffered by others as a result of our actions.
Our direct risks would be our own hospital bills, pain and suffering, and lost wages. Our imposed risks would be the same measurements from anyone else involved who end up paying their own bills. Assuming we paid their bills and somehow took on their suffering for ourselves, it would be taken as direct risk.
When we estimate: Should I drive right now?… we should hopefully consider the risks we impose on others with that decision.
It’s a sum of the risks to yourself and others.
But how do we measure imposed risks in justifying the resource for a security organization? This is where our typical estimation of direct risk… avoid breaches and get customers… leaves us with a perspective on risks from the 1800s.
1800's food manufacturing imposed absurd levels of risk on others.
The US food supply near the end of the industrial revolution is a fantastic example of this. Food suppliers felt fine putting formaldehyde, borax, and bleach into food to prevent the risk of spoilage (direct) which of course killed a bunch of people (imposed).
Harvey Washington Wiley led the way towards national food and drug regulation after observing this trend make its way into nearly all packaged food at the time.
The “big food” industry at the time didn’t do a great job regulating itself. Instead, it leaned on caveat emptor and heavily lobbied against regulation. Caveat Emptor when applied to our analogy suggests that if we don’t like drunk drivers, don’t drive. Spoken differently, don’t drive if you don’t like others killing you. Don’t buy our food if you don’t like formaldehyde. Don’t use our product if you don’t like your data breached.
This practice was eventually regulated. Now we have nutrition facts on our food and we don’t unknowingly feed formaldehyde to our babies.
Tech companies impose risks on consumers and society.
An organization may impose risks simply because they exist. This is equal to putting others at risk by going on the road for our commute and varies depending on how much risk they impose (are they driving safely, or driving drunk).
A security breach at an organization often imposes costs to others elsewhere.
Some examples:
- Adobe: Adobe’s code signing certificate was once used to sign malware. Adobe suffered the standard reputation damage needing to write that blogpost (direct), but this also created signed malware for use at targeted companies (imposed). The same thing happened with Bit9. In neither case was it necessary for the malware’s victims to actually have been customers of Bit9 or Adobe.
- Equifax: One of the most surprising aspects of this breach was the fact that most victims weren’t even customers of the company. Equifax had enormous legal costs (direct) but only a percentage of the victims worked to reclaim this in small claims.
- Google: The fight against Bread has similar qualities. Google has several direct costs. Employees investigate this fraud family. Maintenance and development of detection and prevention systems. Lost revenue from customers that stop using the Google ecosystem (direct). The victims foot the bill from SMS billing and Toll Billing (and I suspect ) are unlikely to be refunded. (imposed)
It’s difficult to eliminate imposed risk. Everything we develop and deploy (especially at scale) will impose a risk on others.
Bottom line impact is only the starting point in valuing an organization that mitigates risk. It’s far from the end.
Risk quantification methods are often dollar based. They hope to focus on the bottom line risk and approximate the resource for a security organization.
The result of this is easy to express to management with financial reasoning.
This is to say that direct expenses and losses to a business are a significant component of what an organization should focus on. Bottom line measurements lay the concrete for the existence of a security organization. Bottom line harm is very rational from an accounting standpoint: Avoid incidents and save money. Get customers and make money.
The Gotcha:
Strict bottom line quant with a narrow monetary perspective will always come up short. For a security organization to thrive and minimize risk in the eyes of the public, it has to extend its resource to risks it imposes on them.
Finding a balance: Assuming a part of the imposed risks
Let’s imagine an extreme policy response on behalf of 1800’s food manufacturers: pay for the hospital bills for anyone who drank our milk.
This would transfer 100% imposed risk into a direct risk for the food manufacturer. That’s an unreasonable extreme. It’s fair to say that customers accept some amount of risk, to manage their own allergies and nutrition. There are more reasonable actions the manufacturer could take: Don’t put formaldehyde in milk to begin with, or at least label it.
“Big Food” heavily resisted these changes. These changes would be direct costs for imposed risks. They prefer Caveat Emptor: Let the buyer deal with their own risks, don’t make us pay for it.
Moving ingredients to the food label was a baby step in transferring an imposed risk (serving formaldehyde) into a direct mitigation cost (increased cost to produce goods). Food manufacturers have no idea what customers are doing with their milk and can’t be expected to tolerate all of that risk, and transferred only some risk to themselves instead. Their role describes the ingredients and lets the consumer make risk decisions and be accountable for them.
Whether a company has actually found the right balance is tricky. It’s easier to argue if they haven’t even bothered.
Some of these balances look like:
- We try to avoid security vulnerabilities, but all software has bugs.
- We can keep your data secure, but not if you misconfigure us.
- We’ll keep your account secure, but not if you re-use your password.
Forcing the movement of imposed risks to direct risk
There are many examples where the risks an industry imposes on its customers are transferred back to an organization as a direct risk. It happens in court, by regulatory bodies, or in contracts. However, none of the following examples are uniformly enforced. An organization that only considers direct risks would only see a portion of the overall impact it has imposed come back to haunt them. We undervalue risk mitigation if we assume that lawsuits approximate our risks to others. Here are some examples:
1. Lawsuits transfer imposed risks into direct risks.
Lawsuits transfer some of the risk an industry imposes back to their own bottom line.
A lawsuit (often, a class action) is a method for impacted customers of an organization to transfer impact imposed onto them directly back to its cause.
Most data breaches do not result in a lawsuit. A great paper (Empirical Analysis of Data Breach Litigation) gives us insight into how often data breaches result as litigation. It saw 3.7% of the data breaches in its data set escalate into litigation. Not 100%.
As a result, the data from lawsuits can’t be viewed as a reliable proxy for the risks that are imposed on consumers or society unless it is also assumed to be a small part of the total harm that was imposed. For example, we can’t expect every victim of a cyber security risk joining class actions if we are approximating how much risk we are imposing on customers. Those costs end up elsewhere and are only partially returned to a business through this transfer.
Regulation transfers imposed risks into direct risks.
Regulation forces an industry to transfer some of the risk they impose on others into their own bottom line.
Just as we saw with food manufacturing, regulation can force organizations to increase their investment into the risks they’ve imposed on others. By artificially increasing the duty of risk mitigation on organizations, they reduce the factor of trust that is involved with a consumer to business relationship.
For instance, SB-1386 increased my expectations that a company in California will report a data breach. I rely (a little bit) less on a company’s good will to disclose and nowadays just expect that they want to avoid breaking the law. Compliance with this law is now a direct expense for any company that wants to operate legally. Organizations are more likely to disclose their incidents with this pressure.
Vendor compliance transfers imposed risks into direct risks.
A contract, a security questionnaire, or a requirement for a certification are all examples of a customer forcing a vendor to limit the risks they impose on the customer, or at least describe them. These push direct costs to the vendor.
In a lot of ways, a security questionnaire is the “nutrition facts” of our world.
The customer might have civil recovery options or the ability to exit a contract if there’s a security incident. Without these protections we operate as caveat emptor.
Compliance regimes cannot perfectly predict what sorts of risk we impose on customers or what might be imposed on us. Compliance frameworks are generally prescriptive and uniform across industry. If we’re aware of risks that we impose on our customers that are not considered in a best practices framework or compliance process, then it needs to be accounted for and resourced as well. Otherwise it’s passed on to victims.
Self regulation is the voluntary treatment of imposed risks as direct risks.
An organization that identifies the risks they are imposing to others and finds reasonable balance in minimizing those risks can be described as one that self regulates. This would have to happen before risks are required to be mitigated by regulation and law.
Otherwise, we would have no way to differentiate from competition. If our competition is also forced to mitigate similarly imposed risk, we’re not special, we’re just following the same rules as everyone.
My favorite ketchup came from self regulation.
Heinz took advantage of the rising interest in safe food before it was regulated. (1:09:0). The company created a ketchup recipe without preservatives and embarked on a marketing spree standing behind “Pure Food” with a shelf-stable ketchup due to its natural acidity. Henry J. Heinz himself led lobbying efforts to support the Pure Food and Drug Act in 1906.
The approach that Heinz chose took place in the thick of all of the food scandals of the late 1800s and seized the public interest in eating pure food by selling… pure food. They didn’t take the cost savings and shortcuts with preservative chemicals and instead worked with and developed foods that had a natural shelf life. My unsubstantiated guess is that this had to have been a more expensive business to run, or at least severely limited their upside by limiting their offerings. In the end — Heinz was the only business in the above documentary I still recognize today.
Summary: The value of a risk organization
We have covered the topics necessary to inspect whether a security organization is valued across broad areas of risk within an organization. Here’s our points, in summary:
- Does the business at least minimize its own risks?
If not, this may describe a business that hasn’t bothered to pursue any security practices, even DIY without a security team. We probably don’t work here.
- Can the business offer opportunities to generate revenue?
If not, the security organization isn’t involved with customers or any sort of voluntary compliance framework that might allow the business to express how it is mitigating risks to its customers.
- Does the business minimize imposed risks with customers and or society?
If not, the business is only involved with bottom-line security. It’s unlikely to further invest in privacy and product security programs. It may not invest in protecting customer data as if it were their own data.
We’ll come up short in resourcing a security team if we’re unable to convey these areas of risk or find disagreement in them with our organizations.
Ryan McGeehan writes about security on scrty.io
