Introduction

Developing a comprehensive business case for network security that is rooted in traditional return-on-investment (ROI) modeling can be a challenging task for even the most seasoned executive. IT managers must contend with threats inherent in operating a network, while senior business executives must determine acceptable levels of operating risk. The fast pace of technological change, coupled with ever-increasing reliance on the Internet, has created an environment that is prone to higher degrees of risk and greater vulnerability.

Threats can run the gamut from a professional hacker harboring premeditated intentions to a careless office clerk who stumbles onto a database and inadvertently deletes its contents. Appropriate equipment exists to effectively deal with known and, in many instances, unforeseen issues, but numerous challenges are inherent in implementing such equipment, not the least of which is opportunity cost. The Business Case for Network Security addresses the issue that funding security enhancement represents an active decision not to invest elsewhere in the corporation, and that tangible financial modeling must support security proposals. This book is an IT security-investing tool, written from a business management perspective.

An IT manager tasked with creating a business case must acknowledge that in most corporations, the IT department is not a revenue generator. IT provides a service, albeit a fundamental one, but lacking ability to directly impact sales does not excuse an IT executive from needing to present objective financial data to further his business case. And therein lies the issue to enhanced security investing. Security has an emotional bias; it is concerned with events not happening—businesses typically invest more heavily after like organizations have been successfully targeted.

A fine line exists between acting preventively and being alarmist. Determining a return on investment for security products continues to challenge both security vendors and corporate executives alike. The challenge is one of assessing ROI in a decisive business manner. This book was written to address that challenge.

There are two distinct audiences for The Business Case for Network Security. Attack types, technical terms, and mitigation solutions are presented in an accessible format for seasoned business executives and board members. The book is written with a minimum of technical jargon; terms are explained, equipment uses are explored, and security is represented as being akin to a core disk in a corporation’s vertebrae. Narrowing the focus for this same audience, Chapter 6, "A Matter of Governance: Taking Security to the Board,” is dedicated to an organization’s executive management and board members. Its discussion centers on return on prevention and the greater implications facing corporations in the current environment: homeland security and the issues inherent in corporate governance.

The book’s sister audience, IT management, is provided with tools to better appreciate an organization’s business. The business plan is effectively positioned so that it addresses the greater needs of the company. The book guides the IT executive through his own corporation, underscoring the philosophy that even society’s most fundamental pieces of political legislation must have public support before they can become law. Drawing this parallel, the book leads the IT manager through a support-garnering program and instills in him the need to educate all users on security practices.

Financial ROI modeling is a fundamental component of security investing, and the book addresses this need by utilizing situation-based surveys to ascertain a corporation’s tolerance for risk. Subjective factors are quantified, and an ROI model, created to address the potential for attack, delves deeply into business case financial methodology to derive a comprehensive return on prevention.

Security policies are the keystone of enforcement, and through a process of monitoring, testing, improvement, and security self-analysis, the book strongly encourages organizations to continually assess their security posture against self-acknowledged business requirements.

This book is separated into three parts and also includes helpful appendix material.

Part I, “Vulnerabilities and Technologies,” covers the following topics:

• Chapter 1, “Hackers and Threats"—This chapter presents a high-level overview of the cost of attacks, including pertinent statistical evidence, and explores the benefits gained from security audits. A discussion of hackers—who does it and why—leads into the issues corporations face when the hacker is an employee. The chapter concludes with a discussion of different categories of threats.

• Chapter 2, “Crucial Need for Security: Vulnerabilities and Attacks"—By delving further into the core of threats, this chapter, written with the corporate executive in mind, explores a wide array of vulnerabilities, including those which emanate from design, human, and implementation issues. The chapter also discusses today’s most prevalent attack types and includes a discussion on attack trends and social engineering.

• Chapter 3, “Security Technology and Related Equipment"—This chapter presents a high-level overview of mitigation fundamentals for the corporate executive. A wide variety of equipment and technology is presented (firewalls, traffic filtering, encryption, digital signatures, strong authentication, intrusion detection and prevention systems, and self-defending networks, along with many others) in a format that is designed to be accessible for the non-technical reader.

• Chapter 4, “Putting It All Together: Threats and Security Equipment"—This chapter analyzes the trends of well-known threats, learned in Chapter 2, and utilizes SAFE, a best practices guide for designing and implementing secure networks, to present a variety of topology options that can help to mitigate risk, by using technologies explained in Chapter 3.

Part II, “Human and Financial Issues,” covers the following topics:

• Chapter 5, “Policy, Personnel, and Equipment as Security Enablers"—This chapter presents an executive-level planning and policy approach to securing each facet of an organization, both its equipment and personnel. The first of two senior management surveys is also presented in this chapter; created for this book, the survey is designed to determine the corporation’s aversion to network security risk.

• Chapter 6, “A Matter of Governance: Taking Security to the Board"—Recognizing that security is greater than the sum of its parts, and that many network security decisions are now elevated to the board, this chapter addresses an organization’s most senior executives by exploring the issues inherent in security governance and return on prevention.

• Chapter 7, “Creating Demand for the Security Proposal: IT Management’s Role"—This chapter focuses on executive and senior-level IT managers by providing them with tools to better understand the business end of their organization and presents a process to garner support and create demand for security proposals. This chapter presents the second senior management survey, which helps to further quantify the organization’s net return on prevention.

• Chapter 8, “Risk Aversion and Security Topologies"—This chapter explores the subjective nature of risk and, utilizing information garnered from the surveys in Chapters 5 and 7, presents topology models linked to an organization’s unique risk-tolerance level. The chapter also enters into a discussion on the diminishing returns of security investments.

• Chapter 9, “Return on Prevention: Investing in Capital Assets"—This chapter acknowledges that there are varied financial instruments that can be used to measure the value of an investment. By utilizing financial tools such as net present value and discount rate, amongst many others, this chapter provides IT management with the necessary tools to firmly substantiate the business case.

Part III, “Policies and Future,” covers the following topics:

• Chapter 10, “Essential Elements of Security Policy Development"—This chapter delves into security policy formulation by discussing many of today’s most fundamental organizational resources, including both equipment and personnel, that need to be policy protected.

• Chapter 11, “Security Is a Living Process"—By introducing the security wheel, a process that ensures continual security renewal, this chapter views prevention as an on-going investment. The chapter also delves into some of today’s pertinent legal issues and ramifications and concludes with an analysis of network security strengths, weaknesses, opportunities, and threats.

The following is a summary of the appendixes:

• Appendix A, “References"—This appendix lists websites and other external readings that were referred to throughout this book, along with references that were utilized during the research process.

• Appendix B, “OSI Model, Internet Protocol, and Packets"—This appendix provides an overview of the oft-mentioned OSI model terms found in this book, namely Internet Protocol and IP packets.

• Appendix C, “Quick Guides to Security Technologies"—This appendix provides guides to aid the reader with quick information and reference of concepts that are covered in this book.

• Appendix D, “Return on Prevention Calculations Reference Sheets"—This appendix summarizes the return-on-prevention financial data presented in Chapter 9.

• Glossary—This glossary defines key terms used in this book.