If you've not read my last post on measuring security you probably should. It talks about how to measure the security of things that make money. That post is mostly focused on things like products that directly generate revenue. This time we're going to talk about a category I'm calling the cost of doing business.
The term "cost of doing business" is something I made up so I could group these ideas in some sensible way. At least sensible to me. You probably can't use this with other humans in a discussion, they won't know what you're talking about. If I had a line graph of spending I would put revenue generating on one side, the purse cost centers on the other side. The cost of doing business is somewhere in the middle. These are activities that directly support whatever it is the organization does to make new money. Projects and solutions that don't directly make money themselves but do directly support things being built that make money.
The cost of doing business includes things like compliance, sending staff to meetings, maybe regulatory requirements. Things that don't directly generate revenue but you can't move forward if you don't do these things. There's not a lot of options in many cases. If you don't have PCI compliance, you can't process payments, you can't make any money, and the company won't last long. If you don't attend certain meetings nobody can get any work done. Regulated industry must follow their requirements or the company can often just be shut down. Sometimes there are things we have to do, even if we don't want to do them.
In the next post we'll talk about what I call "infrastructure", these are the things that are seen as cost centers and often a commodity service (like electricity or internet access). I just want to clarify the difference. Infrastructure is something where you have choice or can decide not to do it with a possible negative (or positive) consequence. Infrastructure is what keep the lights on at a bare minimum. Cost of doing business must be done to get yourself to the next step in a project, there is no choice, which changes what we measure and how we measure it.
The Example
Let's pick on PCI compliance as it's pretty easy to understand example. If you don't do this it's quite likely your company won't survive, assuming you need to process card payments. If you're building a new web site that will process payments, you have to get through PCI compliance, there is no choice, and the project cannot move forward until this is complete. The goal now isn't so much measuring the return on an investment as it is being a good steward of the resources given to us. PCI requirements and audits are not cheap. If you are seen as making poor decisions and squandering your resources it's quite likely the business will get grumpy with you.
Compliance and security aren't the same thing. There is some overlap but it must be understood that you can be compliant and still get hacked. The overlap of compliance is a great thing to focus on for measuring what we do. Did your compliance program make you more secure? Can you show how another group used a compliance requirement to make something better? What if something compliance required saved some money on how the network was architected? There are a lot of side benefits to pay attention to. Make sure you note the things that are improvements, even if they aren't necessarily security improvements.
I've seen examples where compliance was used to justify 2 factor authentication (2FA) in an organization, There are few things more powerful than 2FA that you can deploy. Showing compliance helped move an initiative like this forward, and also showing how the number of malicious logs drops substantially is a powerful message. Just turning on 2FA isn't enough. Make sure you show why it's better, how the attacks are slowed or stopped. Make sure you can show there were few issues for users (the people who struggle will complain loudly). If there is massive disruption for your users, figure out why you didn't know this would happen, someone screwed something up that means. It's important to measure the good and the bad. We rarely measure failure which is a problem. Nobody has a 100% success rate, learn from your failure.
What about attending a meeting or industry conference? Do you just go, file the expense report, and do nothing? That sounds like a waste of time and money. Make sure you have concrete actions. Write down what happened, why it was important you were there, how you made the situation better, and what you're going to do next. How did the meeting move your project forward? Did you learn something new, or make some plans that will help in the future? Make sure the person paying your bills sees this. Make them happy to be providing you the means to keep the business moving forward.
The Cost
The very first step we have to consider when we want to measure what we're doing is to do your homework and understand cost. Not just upfront cost but cost of machines, disk, people, services, anything you need to keep the business moving forward. If there are certain requirements needed for a solution make sure you understand and document it. If a certain piece of software or service has to be used show why. Show what part of the business can function because of the cost you're providing. Remember this is going to be specific requirements you can't escape. These are not commodity services and solutions. And of course the goal is to move forward.
If you inherit an existing solution take a good look at everything, make sure you know exactly what the resource cost of the solution is. The goal here isn't always to show a return on investment, but to show that the current solution makes sense. Just because something costs less money doesn't mean it's cheaper. If your cut rate services will put the project in jeopardy you're going to be in trouble someday. Be able to show this is a real threat. It's possible a decision will be made to take on this threat, but that's not always your choice. Always be able to answer the questions "if we do this what happens" and "if we don't do this what happens".
Conclusion
This topic is tricky. I keep thinking about it and even as I wrote this post it changed quite a lot from what I started to write. If you have something that makes money it's easy to justify investment. If you have something that's a pure cost center it's easy to minimize cost. This middle ground is tricky. How do you show value for something you have to do but isn't directly generating revenue? If you work for a forward looking business you probably won't have to spend a ton of time getting these projects funded. Growing companies understand the cost of doing business.
I have seen some companies that aren't growing as quickly fail to see value in the cost of doing business. There's nothing wrong with this sometimes, but as a security leader your job is to make your leadership understand what isn't happening because of this lack of investment. Sometimes if you keep a project limping along, barely alive, you end up causing a great deal of damage to the project and your staff. If leadership won't fund something, it means they don't view it as important and neither should you. If you think it is important, you need to sell it to your leadership. Sometimes you can't and won't win though, and then you have to be willing to let it go.
I recently came across your blog and have been reading along. I thought I would leave my first comment. I don't know what to say except that I have enjoyed reading. Nice blog.
ReplyDeletehttps://bayanlarsitesi.com/
ReplyDeleteEmek
Sultanahmet
Burgazada
Fenerbahçe
RX6W
Adana
ReplyDeleteElazığ
Kayseri
Şırnak
Antep
QT0
Ankara
ReplyDeleteBolu
Sakarya
Mersin
Malatya
ZBG
Ankara
ReplyDeleteBolu
Sakarya
Mersin
Malatya
0EA
bitlis
ReplyDeleteurfa
mardin
tokat
çorum
İAYZW
https://titandijital.com.tr/
ReplyDeletesakarya parça eşya taşıma
aksaray parça eşya taşıma
urfa parça eşya taşıma
kocaeli parça eşya taşıma
AKTN6
261B0
ReplyDeleteAdana Lojistik
Malatya Evden Eve Nakliyat
Karaman Parça Eşya Taşıma
Çanakkale Evden Eve Nakliyat
Kütahya Evden Eve Nakliyat
9F4D7
ReplyDeleteKayseri Evden Eve Nakliyat
Muş Evden Eve Nakliyat
Tekirdağ Fayans Ustası
Çerkezköy Cam Balkon
Düzce Evden Eve Nakliyat
3DABB
ReplyDeleteÇerkezköy Boya Ustası
Van Evden Eve Nakliyat
Düzce Evden Eve Nakliyat
Erzurum Evden Eve Nakliyat
Ünye Evden Eve Nakliyat
00818
ReplyDeleteBurdur Evden Eve Nakliyat
Malatya Parça Eşya Taşıma
Çerkezköy Korkuluk
Hatay Parça Eşya Taşıma
Gümüşhane Parça Eşya Taşıma
Niğde Şehirler Arası Nakliyat
Sakarya Evden Eve Nakliyat
Muş Parça Eşya Taşıma
Ünye Koltuk Kaplama
82A92
ReplyDeleteÇerkezköy Bulaşık Makinesi Tamircisi
Trabzon Şehir İçi Nakliyat
Eskişehir Evden Eve Nakliyat
Tekirdağ Fayans Ustası
Giresun Şehirler Arası Nakliyat
Malatya Evden Eve Nakliyat
Eskişehir Şehir İçi Nakliyat
Silivri Çatı Ustası
Bursa Parça Eşya Taşıma
8E264
ReplyDeleteAntalya Rent A Car
Okex Güvenilir mi
Hatay Şehir İçi Nakliyat
Sivas Parça Eşya Taşıma
Hatay Evden Eve Nakliyat
Silivri Evden Eve Nakliyat
Silivri Duşa Kabin Tamiri
İstanbul Evden Eve Nakliyat
Isparta Lojistik
66355
ReplyDeleteKarabük Parça Eşya Taşıma
Bayburt Parça Eşya Taşıma
Karaman Parça Eşya Taşıma
Bursa Şehirler Arası Nakliyat
Keçiören Fayans Ustası
Ağrı Evden Eve Nakliyat
Yozgat Parça Eşya Taşıma
Osmaniye Şehirler Arası Nakliyat
Kırıkkale Şehir İçi Nakliyat
D3F9A
ReplyDeleteankara canlı sohbet odası
adıyaman rastgele görüntülü sohbet
balıkesir görüntülü sohbet odaları
Izmir Sohbet Siteleri
aksaray canlı ücretsiz sohbet
adıyaman canlı sohbet ücretsiz
bedava sohbet siteleri
Ankara Canlı Sohbet Sitesi
sakarya rastgele sohbet uygulaması
2051F
ReplyDeletebedava görüntülü sohbet
Kırşehir Görüntülü Sohbet Siteleri
Kayseri Sesli Sohbet Sitesi
canlı sohbet sitesi
bedava sohbet siteleri
bitlis parasız sohbet
Amasya Telefonda Rastgele Sohbet
ücretsiz görüntülü sohbet
tunceli canlı görüntülü sohbet uygulamaları
26D17
ReplyDeleteTwitter Beğeni Hilesi
Tiktok İzlenme Hilesi
Facebook Takipçi Hilesi
Floki Coin Hangi Borsada
Madencilik Nedir
Coin Nasıl Üretilir
Kripto Para Nasıl Çıkarılır
Bitcoin Kazanma
Coin Madenciliği Siteleri
74231
ReplyDeleteReferans Kimliği Nedir
Kripto Para Kazanma Siteleri
Facebook Sayfa Beğeni Satın Al
Onlyfans Takipçi Hilesi
Tiktok Beğeni Hilesi
Telcoin Coin Hangi Borsada
Baby Doge Coin Hangi Borsada
Trovo Takipçi Hilesi
Kripto Para Nasıl Çıkarılır
F942C
ReplyDeleteGörüntülü Sohbet Parasız
Tiktok İzlenme Satın Al
Soundcloud Dinlenme Hilesi
Bone Coin Hangi Borsada
Hamster Coin Hangi Borsada
Binance Ne Kadar Komisyon Alıyor
Kwai Beğeni Satın Al
Sohbet
Shinja Coin Hangi Borsada
F348E
ReplyDeleteOkex Borsası Güvenilir mi
Twitter Takipçi Hilesi
Periscope Beğeni Hilesi
Coin Kazma
Likee App Takipçi Satın Al
Binance Referans Kodu
Onlyfans Takipçi Satın Al
Anc Coin Hangi Borsada
Twitch Takipçi Satın Al
B3B20
ReplyDeletesushiswap
eigenlayer
thorchain
yearn finance
quickswap
shapeshift
uwulend finance
DefiLlama
zkswap