Oracle took a similar approach when it wanted to replace a data center IPS. "We did an analysis of how many alerts we got, how many people it took to run those alerts down and how many of those [alerts] were false positives," says Mary Ann Davidson, chief security officer at Oracle. "For the IDS we had in place, we got something like 80,000 alerts a week, and the false-positive rate was 60 percent to 70 percent. We looked at that versus the system we were piloting, where we found we had far fewer alerts and the ones we got were higher quality. So we said, how many people would we have to hire to make sense of the system we had? It turned out to cost a lot less to replace the system right away."
"Economics--not technology--determines what security technologies get used," says Bruce Schneier, security expert and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Copernicus Books, 2003). "These days, I feel like I do more economics than computer security."
But when it comes to recognizing the benefits of mixing firewalls with financial forecasts, the economists have taken the lead. In the past few years, there's been a growing stream of work by financial economists who apply capital budgeting and investment theory to business information security investments. It's a tantalizing subject for academics because of the paradox at the core: The more successful your security investments, the less visible and less measurable your results.ROI (or bang for the buck) can't be applied perfectly to information security because often the return on information security purchases and deployments is intangible. Sure, companies invest in some solutions that offer benefits beyond security--faster network throughput in a new router that supports VPNs, for example--and they can calculate the ROI of these indirect benefits. But security requires factoring in the expectation of loss. Statistically, some losses are expensive but unlikely to occur in any given year, for instance, so the expectation of loss over a period of years has to include years in which there is no loss.
Furthermore, the accounting-based notion of ROI doesn't take into account that great chestnut of economic theory, the "time value" of money. Money that one has in hand and can invest now is worth more than money to be received later, due to the loss resulting from the chance to invest that money during the waiting period. In terms of savings expected by not suffering cybercrime losses, the longer the wait before saving that money, the less that money is worth. Indeed, to make good decisions about those future savings now, those savings must be discounted based on the time it takes to realize them.
It's a two-way street, too. Costs incurred when implementing a security measure have a lower present value if they can be held off until a future time. That's because that money can be invested in other ways now.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
There are many network courses that can address your present job's priorities and help you gain the needed skills to keep pace with industry changes and new technologies.
