Wednesday, June 2, 2010

Part 1: Ignorance Amongst Us

Recently a study was released by Forrester Research Inc. titled “The Value of Corporate Secrets.” To summarize, it basically goes on to state that although most security programs are driven by compliance regulations, perhaps organizations need to do a better job of securing trade secrets since it has been shown that company secrets (trade secrets, strategic plans, etc) are more valuable then custodial data (i.e. PII, credit card numbers, government identifiers, etc). The full study is available at the below link:

http://www.rsa.com/products/DLP/ar/10844_5415_The_Value_of_Corporate_Secrets.pdf

This study originally caught my eye mainly because it was linked on Slashdot.com with the title “Compliance is Wasted Money, Study Finds.” After reading the study, I am not sure Forrester actually would agree with this statement as much as it is Slashdot’s own interpretation of the study. Forrester breaks down this study into five different sections which I will discuss in subsequent blogs. In this first blog post I will discuss the first section of the study, all leading to what I consider a fairly ignorant title to a study posted by Slashdot and most likely immature conclusions by Forrester.

Company Secrets Comprise Two-Thirds of the Value of Firm’s Information Portfolios

Forrester Finding: For this survey, we asked respondents to identify the five most valuable assets in their information portfolios out of 17 possible types of information ranging from sales forecasts to cardholder data. For purposes of simplicity, we constrained the maximum value to $1 million. On average, enterprises valued their top five assets at $2.7 million in aggregate. Significantly, two-thirds of the value comes from secrets, not custodial data.

My question to the above is what exactly did Forrester use as a control during this survey? In any scientific experiment, groups are treated EXACTLY alike except for the ONE variable being tested at a time. Since I am going to go ahead and assume that this survey took place across many different industries with varying levels of annual revenue and organizational structure and controls, there are too many variables to consider this number to be an accurate representation of the value of corporate assets based on Forrester’s research.

First, organizations vary in organizational structure. The study only says that it interviewed 305 different IT security decision makers. The only reason I bring this up is because in smaller organizations, perhaps the CEO acts as the IT security decision maker as opposed to larger organizations where a CSO might be granted those responsibilities. Asking a CSO and a CEO what their most critical assets are most times is going to result in different answers.

Secondly, did Forrester survey only those organizations which have good asset and data classification programs? This would be very hard for me to believe being that from my experience these types of programs are non-existent in smaller to mid-size organizations. So once again, assuming that Forrester was not able to survey just those organizations which have good asset and data classification programs, how could the person being interviewed actually give an accurate answer as to what their 5 most critical assets are and then proceed to place a dollar amount on them?

Finally, even if we assume this survey to be correct and two-thirds of the firm’s value is in their company secrets, what is not addressed is the potential impact other than a dollar amount that may be incurred by an organization if company secrets or custodial data is lost. Sometimes the reputational impact incurred after a breach is much more costly to an organization than the actual dollar amount of the data stolen. For example, I am much more likely to still do business with an organization whose financials were stolen as opposed to an organization who allowed my personal information to be compromised. So even though the theft of an organization’s financial statements might cost the organization more money, it may not result in the same reputational impact if custodial data was compromised. Many times the reputational impact can be much more costly than the monetary impact.

In summary, I believe there are simply way too many variables and not enough research done in order to truly determine what the value of assets are that compromise an organization’s portfolio. Even if we were to take this conclusion at face value, who cares about the value of the assets? The most important question to ask is the impact to the organization if sensitive assets were to be compromised.

No comments: