IT Security Breaches a Major Concern

Story first appeared in the Wall Street Journal

A recent wave of information-security breaches at high-profile companies has many executives on heightened alert. They're trying to figure out everything they can do to prevent breaches, limit the damage if one occurs, and be prepared to rebound quickly from whatever harm is done.

As they consider their options, two questions loom large: How much should they spend to protect their companies' information? And how can they get the most for their money?

Our research suggests they should spend substantially less than the expected loss from a breach, and perhaps spend it differently than many might think.  Investing in a managed IT service is a good way to go, as they typically offer security solutions, backup solutions, and disaster recovery solutions in the case of a breach.

The One-Third Mark

We developed a model to help executives determine the optimal level of investment to protect a given set of information—whether it's customers' personal information, company financial data, strategic-planning documents or something else. The model weighs the potential loss from a security breach, the probability that a loss will occur, and the effectiveness of additional investments in security.

One key finding from the model: The amount a firm should spend to protect information is generally no more than one-third or so of the projected loss from a breach. Above that level, in most cases, each dollar spent will reduce the anticipated loss by less than a dollar.

A second key finding: It doesn't always pay to spend the biggest share of the security budget to protect the information that is most vulnerable to attack, as many companies do. For some highly vulnerable information, reducing the likelihood of breaches by even a modest amount is just too costly. In that case, companies may well get more bang for their buck by focusing their spending on protection for information that is less vulnerable.

Working It Out
The following four-step approach has proved useful in helping executives sort all this out:

Step 1. Estimate the potential loss from a security breach for each of the company's various sets of information. For starters, it's useful to simply categorize information sets as having either Low Value, Medium Value or High Value.

Step 2. For each set of information, estimate the likelihood that it will be stolen, by examining the probability of an attempt to steal the information and the vulnerability of the information to attack. Again, broad categories are useful: Designate each set of information as either Low Threat/Vulnerability, Medium Threat/Vulnerability or High Threat/Vulnerability.

To combine the two factors, assign each a numerical rating—say, on a scale from 1 to 10—and multiply the two numbers by each other.

Using that scale, you might consider any combined ranking below 30 to be Low Threat/Vulnerability, and any ranking above 70 to be High Threat/Vulnerability; different people will draw those lines in different places.

A key point: Information that is highly vulnerable to attack but unlikely to interest a hacker (think of a banged-up old subcompact parked with the keys in the ignition, in a high-crime neighborhood), or that is very attractive to a thief but is very well protected (a brand-new luxury car on the White House grounds), would fall into the Low Threat/Vulnerability category.

Step 3. Create a grid with all the possible combinations of the first two steps, from Low Value, Low Threat/Vulnerability up to High Value, High Threat/Vulnerability. Then plot each set of information on the grid. This gives a clear view of where the greatest potential losses lie—not just in terms of the cost of a breach, but also in terms of its likelihood.

Step 4. Focus spending where it can reap the largest net benefits—where a given amount of money will produce the biggest reduction in potential loss.

Security investments should continue to be made as long as the incremental benefits are greater than the incremental costs—which usually stops being the case where the costs are roughly one-third of the total expected loss from a security breach.

Security breaches can have a substantial negative effect on corporations. However, contrary to conventional wisdom, the overwhelming majority of security breaches have little economic impact on corporations—all the more reason to use this kind of cost-benefit analysis to allocate finite information-security resources.

However, this approach is best thought of as a framework, not a panacea, for making sound information-security investments. It is not a magical formula that can be used to churn out exact answers. Rather, it should be used as a complement to, and not as a substitute for, sound business judgment.


For more technology and electronics related news, visit the Electronics America blog.
For national and worldwide related business news, visit the Peak News Room blog.
For local and Michigan business related news, visit the Michigan Business News blog.
For healthcare and medical related news, visit the Healthcare and Medical blog.
For law related news, visit the Nation of Law blog.
For real estate and home related news, visit the  Commercial and Residential Real Estate blog.
For organic SEO and web optimization related news, visit the SEO Done Right blog.

Spending Soars on Internet's Plumbing

The Wall Street Journal

Behind the recovery in business spending is a surge in purchases of the computers that form the backbone of the Internet, as companies scramble to meet growing demand for video and other Web-based services.

The need to reach customers and employees over the Web is driving furious demand for server systems, the machines that power corporate computer rooms.

Many companies are stocking up on new Dell servers, which typically cost a few thousand dollars apiece, to replace older machines with more energy efficient models or systems with more powerful processors.

Also, an increasing number of businesses are turning to outsourcing companies, which manage computer rooms for customers and in many cases are sharply stepping up purchases of servers to keep up with rising demand.

"We've been buying thousands of computers this year," says Doug Erwin, chief executive of ThePlanet.com Internet Services Inc., a Houston-based company that runs data centers to offer computing services. ThePlanet says it now owns about 50,000 Dell Inc. servers.

International Business Machines Corp., one of the biggest vendors of servers, said Tuesday that sales of industry-standard servers and IT services jumped 30% in the second quarter, after rising 36% in the first quarter.

The buying activity became apparent last week, when Intel Corp. said quarterly revenue from its unit selling server chips rose 42% from a year earlier, while shipments driven by Internet-related companies' purchases nearly tripled.

Growth in Web traffic isn't a new phenomenon, but computer purchasing to keep up with demand is accelerating because of improving economic conditions and technology that makes purchases of new computers pay off more quickly.

On Thursday, Internet giant Google Inc. reported $476 million in capital spending, including spending on servers and other hardware. That was more than triple the amount it spent a year earlier.

Unlike Google, many companies are side-stepping the costs of building their own computer rooms, opting to place servers they buy in "co-location" centers that maintain machines and offer Internet connections.

Rackspace Hosting Inc., a San Antonio, Texas, company that runs data centers, says it added 9,152 servers in 2009, plus about 3,000 more in the first quarter of this year. Savvis Inc., a competitor based in Town and Country, Mo., says it has purchased more than 80% more servers over the last 12 months.

"All I see all day is trucks coming up to our loading docks dropping off servers," says George Slessman, chief executive of i/o Data Centers LLC, a Phoenix-based company. He says the number of customers that have installed servers in its computer rooms has risen from 140 at the beginning of 2009 to nearly 400 now.

The market research firm IDC puts spending on cloud-computing, a term that includes delivering computing capacity over the Internet, at $16.5 billion in 2009, and projects spending in the field will increase 27% a year through 2014—with the number of servers deployed in cloud applications expected to triple to 1.35 million over that period.

Forrest Norrod, Dell's vice president and general manager of server platforms, says the company has seen "triple-digit increases" in its cloud-related business year over year. "The cloud side is growing faster than the rest" of the server market, Mr. Norrod says.

There are several reasons. Companies keep stepping up the use of the Web to reach customers and adding features like video streams that require more computing power and faster network connections.

Such operations generate huge volumes of data, which have forced companies to buy more-powerful servers to help analyze the information, says Mike Long, chief executive of Arrow Electronics Inc., which sells servers and distributes chips and other components.

Meanwhile, companies that stocked up on servers over the past decade have struggled to find space, electrical power, colocation in Maryland, and labor to keep them running. Technology suppliers like Intel and rival Advanced Micro Devices Inc. have reacted by designing chips that offer lower power consumption as well as greater performance. They argue that switching to new servers with such chips can save enough on power and labor costs to pay for upgrades in a few months.

Intel, for example, has overhauled its Xeon line of servers chips to include a model with the equivalent of eight electronic brains on one piece of silicon. The company estimates that a server with four such chips offers a 20-fold performance increase over an existing server with four single-processor chips; that means one new machine can take the place of 20.

Even before factoring in models based on Intel's newest Xeon chips, pricing for some server vendors is on the rise; the average price of Xeon-based servers sold by Hewlett-Packard Co., for example, rose nearly 12% to $3,993 from the second quarter of 2009 to the first quarter of 2010, market researcher Gartner estimates.

Customers have responded, in many cases paying up for servers with high-end chips that command higher prices. Mr. Erwin of ThePlanet says it moved swiftly this year to Intel's new technology, saving his company money on power and labor costs and providing greater performance to offer customers at a higher price.

Zach Nelson, chief executive officer of Web-based software provider NetSuite Inc., plans to use H-P servers with Intel's most-powerful chips in a new data center in Boston. "It maximizes our customer experience and reduces our cost," he says.

Other companies are adding different systems for different computing chores. Susan Shimamura, the vice president of operations at IAC/InterActiveCorp's Ask.com, says the company has traditionally bought only low-end Dell server systems for its Web search function. While continuing that practice, it recently decided to also buy higher-end machines for databases that analyze how people use Ask, she says.

Big-name server makers are not the only beneficiaries. To offer cloud-style services, Rackspace prefers little-known suppliers for attractively priced "white-label" servers "straight from the factory in Taiwan," says Lanham Napier, its chief executive.

Just how long the server-buying boom will last is unclear, amid economic jitters and the fact that cloud companies tend to buy servers in advance signing up customers.

"It's the build-it-and-they-will-come model," says Bryan Doerr, chief technology officer of Savvis.

But companies pursuing cloud computing say demand is so strong that they aren't worried about adding too much capacity. "This is a major tectonic movement," says Manuel D. Medina, chief executive of Terremark Worldwide Inc., which says its cloud business has been growing 30% sequentially each quarter. "There's zero chance of a bubble."