He wrote about it here in a post titled "Network Security Budget Cruft - Why you are probably spending waaayyy to much on network security" and this morning pointed us to an interview he gave on the same topic with ITBusinessEdge.
Here's the Reader's Digest version:
Question: Is the realignment important?
Peterson: I think it is a big deal. I really think IT security is out of control; in many cases, they are spending $10 to protect something worth $5, and in other cases they are spending a nickel to protect something worth $1,000. If you look at the numbers objectively, you see why it is out of control, and you can use the investing habits of the business to improve the situation
Coincidentally, I am giving the keynote at this year's Information Security Decisions show in Chicago on November 5th and will be discussing about how "Security" needs to embrace disruptive technology and innovation.
One of the most important facets of this presentation is how security managers must build and manage a strategic security portfolio with investments made over time that align to the business; if you can't demonstrate how what you do supports the strategic initiatives of the company, you're in a bad place. The business innovates driven by the need to corner competitive advantage. Security needs to do the same:
Question: How do you start building a case to confront the issue?
Peterson: You take the budget and prove it in numbers. When you look at how the business invests and see how security invests, many times it is the opposite. You have to ask questions about that. It's not a one-to-one match. That should be the starting point, and if you want to invest more in other areas, the burden is on you to prove [it is justified].
As Gunnar alludes, if it were easy we'd be there already and it's really important to understand that when we talk about these things it should be understood that it's not going to happen overnight:
Question: These spending habits must be pretty deeply engrained. It must be a big challenge to turn it around.
Peterson: It is going to be hard to change some of these things overnight. The company has licenses, legacy investments. I would look to where the gap is coming from. When you look to resolve this, I think investing in training and awareness can go a long way. It can't completely solve the problem, but can help by [for instance] showing them how to write more secure code, training database administrators to configure their databases more securely. Doing that is not a huge investment, but ultimately having people helping to bridge the gaps is a huge advantage.
I think Gunnar's topic goes hand-in-hand with the discussions we've been having lately regarding the misalignment and missing language used to describe what we do. IT security is one of the only crafts I've seen where transparency and accountability for spend and alignment are represented as being too difficult and allusive to demonstrate. From Gunnar's initial post:
Awhile back, Dan Geer posed the following questions
How secure am I? Am I better than this time last year? Am I spending the right amount of $$? How do I compare to my peers? What risk transfer options do I have?
Dan asserted, and I agree, that these are perfectly reasonable for senior management to ask, virtually any part of a business can provide some enlightenment on them, and the exception is infosec which has virtually no way to answer any of these today.
These questions are not only reasonable but required. If you can't answer them -- and articulately defend your assertions, then you're most certainly engaged in the practice of the bastardized and neutered ugly stepchild version of "Information Security" that our industry has become.
"I don't know," "I guess so" and "we use a firewall and SSL" aren't professionally-accepted answers in most career paths to these questions, why are they in ours?
Thanks for the great read, Gunnar.
*** Update: In a freaky bit of coincidence, Alex Hutton was remarking on a comment I made on Shrdlu's Layer8 blog regarding security investments and pointed to Gunnar's post also. Alex's questions are really good...