Risk Management Requires Sophistication?
Mike R. starts of well enough in defining the value-prop of "Risk Management" as opposed to managing threats and vulnerabilities, and goes on to rightfully suggest that in order to manage risk you need to have a "value component" as part of the weighting metrics for decision making…all good stuff:
But more importantly, you need to get a feel for the RELATIVE value of
stuff (is the finance system more important than the customer
management) before you can figure out where you should be spending your
time and money.
It goes without saying that it’s probably a good idea (and an over-used cliche) that it doesn’t make much sense to spend $100,000 to protect a $100 asset, but strangely enough, that’s what a lot of folks do…and they call it "defense in depth."
Before you lump me into one of Michael F’s camps, no, I am not saying defense in depth is an invalid and wasteful strategy. I *am* saying that people hide behind this term because they use it as a substitute for common sense and risk-focused information protection and assurance...
…back to the point at hand…
Here’s where it gets ugly as the conclusion of Mike R’s comments set me
off a little because it really does summarize one of the biggest
cop-outs in the management and execution of information protection/security today:
That is not a technique for the unsophisticated or
those without significant political mojo. If you are new to the space,
you are best off initially focusing on the stuff within your control,
like defense in depth and security awareness.
This is a bullshit lay-down. It does not take any amount of sophistication to perform a business-driven risk-assessment in order to support a risk-management framework that communicates an organization’s risk posture and investment in controls to the folks that matter and can do something about it.
It takes a desire to do the right thing for the right reason that protects that right asset at the right price point. Right?
While it’s true that most good IT folks inherently understand what’s important to an organization from an infrastructure perspective, they may not be able to understand why or be able to provide a transparent explanation as to what impacts based upon threats and exposed attack surfaces really mean to the BUSINESS.
You know how you overcome that shortfall? You pick a business and asset-focused risk assessment framework and you start educating yourself and your company on how, what and why you do what you do; you provide transparency in terms of function, ownership, responsibility, effectiveness, and budget. These are metrics that count.
Don’t think you can do that because you don’t have a fancy title, a corner office or aren’t empowered to do so? Go get another job because you’re not doing your current one any justice.
For an organization that wants to understand its information security
needs, OCTAVE® (Operationally Critical Threat, Asset, and
Vulnerability EvaluationSM) is a risk-based strategic assessment
and planning technique for security.
OCTAVE is self-directed. A small team of people from the operational (or
business) units and the IT department work together to address the security
needs of the organization. The team draws on the knowledge of many employees to
define the current state of security, identify risks to critical assets, and
set a security strategy.
OCTAVE is flexible. It can be tailored for most organizations.
OCTAVE is different from typical technology-focused assessments. It focuses
on organizational risk and strategic, practice-related issues, balancing operational
risk, security practices, and technology.
Suggesting that you need to have political mojo to ask business unit leaders well-defined, unbiased, interview-based, guided queries is silly. I’ve done it. It works. It doesn’t take a PhD or boardroom experience to pull it off. I’m not particularly sophisticated and I trained a team of IT (but non-security) folks to do it, too.
But guess what? It takes WORK. Lots and lots of WORK. And it’s iterative, not static.
Because of the fact that Michael’s task list of security admins is so huge, anything that represents a significant investment in time, people or energy usually gets the lowest priority in the grand scheme of things. That’s the real reason defense-in-depth is such a great hiding place.
With all that stuff to do, you *must* be doing what matters most, right? You’re so busy! Unsophisticated, but busy! 😉
Instead of focusing truly on the things that matter, we pile stuff up and claim that we’re doing the best we can with defense in depth without truly understanding that perhaps what we are doing is not the best use of money, time and people afterall.
Don’t cop out. Risk Management is neither "old school" or a new concept; it’s common sense, it’s reasonable and it’s the right thing to do.
It’s Rational Security.