Article by David Spark
Just being great at security is no longer the objective. Security’s purpose is to serve the business and help the organization manage its overall enterprise risk management profile.
To learn more about how to actually do this, Cindy Valladares (@cindyv) and I (@dspark), interviewed six CSOs/CISOs from varied industries who have actually applied risk-based security management to their business. We asked them for their advice on what we should and shouldn’t do when building a risk-focused security operation. We boiled down their advice to 15 tips to improve your business’ infosec risk management practice.
TIP 1: Realize the need for risk management
For years security vendors have been able to play off the general fears of malware and cyber attacks. They’ve advised that if we just bought this product we’d be more secure. As the scope of protecting data has become more complex, we’ve slowly learned that deploying more security controls alone is not a risk management solution.
“We could spend tons and tons of money and not know if we had improved security at all or if we had done the right things,” said Eric Cowperthwaite, (@e_cowperthwaite), CISO at Providence Health & Services in Seattle. “We needed a better way than just installing all the technology you can buy to figure out what we should be doing in our security program.”
For Kirk Herath, VP, CPO, Associate General Counsel, Privacy, Technology & Contract Services at Nationwide Mutual Insurance Company, building a risk management practice is a requirement in their heavily regulated industry.
TIP 2: Risk management is what you do beyond basic controls
“There is a basic set of security controls that must exist from an ‘I have done the right things in a due diligence perspective,’” noted Cowperthwaite.
For example, said Cowperthwaite, with physical security you put locks on doors, add alarm systems, and closed circuit TV. Although there isn’t a full consensus on information security of what that basic set of security controls should be, most know to include anti-virus, firewalls, intrusion protection systems, and spam filtering.
“This is not risk management at all. This is equivalent to putting a lock on the door,” said Cowperthwaite.
TIP 3: Assessing your assets is table stakes
“If you don’t know what your crown jewels are you can’t do risk management,” said Cowperthwaite. “If I don’t know what it is that I need to protect on behalf of my organization I can’t possibly be successful in going beyond foundational due diligence security.”
“You need to understand as a security practitioner what data is important to your board if it gets out and what data is important to just the functionality of the organization,” said Erin Jacobs (@SecBarbie), CIO/CSO for UCB, Inc. “Understand how data moves in and out of the organization.”
After doing a data map, Jacobs learned, “What’s important to the board is not necessarily what’s important to the business units. And what’s important to the business units might be different to what’s important to security teams.”
“There are too many security and compliance professionals that don’t understand the data they’re protecting,” said Jacobs. “It’s hard to consume especially with how frequently people are changing jobs and roles.”
For Jacobs, who has been at her job for seven years, she’s still making new discoveries every day.
TIP 4: Find the business’ risk tolerance
“You can write rules that are risk-averse and risk-absolute. We have found that is a recipe for disaster,” said Herath who advised instead that you have discussions with the business about their risk tolerance.
It’s exactly what Jacobs does at UCB, Inc: “We assess the risk appetite of our organization and the organizations we serve and apply controls around that.”
Be wary that even though security controls can reduce risk, it may cause the business to act more risky therefore not reducing damages. This phenomenon is a function of risk compensation or the Peltzman effect, introduced by Sam Peltzman, who noticed that safety restrictions on cars, such as seatbelts, don’t reduce fatalities. It just makes people more dangerous drivers, said Andy Ellis (@CSOAndy), CSO for Akamai.
“People have a set point of risk tolerance. There is so much risk that they will tolerate and every time you take risk away, they accept more,” said Ellis. “At Akamai, infosec grades a product not on how secure it is, but rather on the product manager’s understanding of the product’s risk.”
Information security exists because of the business. “You must always be doing right by the business. Too often security people think their fiduciary duty is to the goddess of security. Your goal is to be the most awesome security person ever, and you must be the security rockstar,” said Ellis. “That is not how you get trusted by business. You get trusted by business is by demonstrating every day that you are trying to make the business succeed.”
TIP 5: Get out of your office and obtain input from the business
Canon manages risk through conversations that are continuous, flowing, and supportive, said Quentyn Taylor (@quentynblog), Director of Information Security, Governance and Risk at Canon for Europe, Middle East and Africa (EMEA).
“I want my people out there talking to the business and suggesting ways forward. I don’t want people to end a conversation with, ‘No, you can’t do that.’ I always want it to be a case of ‘That might not be the optimal way. There may be a better way of achieving exactly what you want to achieve,’” said Taylor.
Cowperthwaite’s team at Providence Health and Services has an unskewed crowdsourcing technique to assess their organization’s assets. They connect with the business by issuing an anonymous survey to 125 senior operational officers asking them what they think is the most important information.
“You can’t do risk management if you’re not engaged with what everybody else is doing operationally every day. So get out of your office. Stop fiddling with firewalls and go find out what your business does,” said Cowperthwaite. “You have to have agreement with people that are impacted and have to do the work.”
It is security’s responsibility to become business aware and learn about business operations, said Taylor who advised security professionals to simply look at the organizational chart for team leaders to learn from and ultimately then influence through an inevitable two-way dialogue.
TIP 6: The business must be accountable for infosec risk
Your business’ security department should never accept the risk for a specific issue, warned Roland Cloutier, VP, CSO at ADP Worldwide, who has seen many companies screw this up. The business must accept the risk.
“[When a corporate officer signs a risk acceptance letter] it changes the tone of the conversation. They’re looking for your (security’s) help and they respect that you sat down and partnered with them to deliver the options. And they know you will support them going forward if they run into obstacles specific to that risk or the board has questions,” said Cloutier.
TIP 7: Risk can be determined by regulators
While compliance does not equal security, falling out of compliance can be financially damaging and therefore highly risky.
“We exist because of GLBA (Gramm-Leach-Bliley Act),” admitted Herath of how regulators often manage his risk. “It’s hard in a highly regulated industry to make what academics might think is a perfect risk calculation.”
While Nationwide has had an infosec practice prior to GLBA, Herath confessed that it changed dramatically as a result of this regulation.
Cowperthwaite agrees and points out that HIPAA security rules dictate that his health organization must have access management. It’s not an addressable specification, it’s a requirement. Referring to “TIP 2,” it’s not risk management at all, but rather a basic foundational thing that he has to do.
TIP 8: Risk management changes depending on what’s reasonably possible
Risk-based security management exists because we don’t have an infinite amount of resources. Not only are we looking at assets, but also what our business and its staff can reasonably do. As we evolve the notion of what is reasonable for our business, we need to have conversations between information security and the business so that we design policies for which organizations can adhere.
“What was science fiction ten years ago is considered highly reasonable and therefore expected by regulators and courts today,” said Herath who noted that 12 years ago encryption wasn’t affordable, interoperable, or practical. Today it’s very much all of those things.
“The law doesn’t require us to be absolute, but the law requires us to be reasonable,” said Herath. “It inherently calls out that you have the ability to manage your own risk and your own space based upon the size, scope, scale of your organization.”
TIP 9: Manage the unknown risk and measure success based on risk management adoption
“We make risk judgments based on what we’re aware of and what feels really present to us,” said Ellis noting that traditional risk thinking can cause us to make bad awareness decisions.
Ellis highly recommends considering unexpected or even unknown events. He takes this to such an extreme that he actually has meteor strikes and zombie apocalypses built into Akamai’s incident planning – likelihood of these events happening is another matter.
“I want to see my risks go up. I want to know they’re being documented well. I want to know they’re being entered into the platform,” said Cloutier of creating a greater library of “risks he knows.”
Knowing about and managing more risks is a measure of your organization’s maturity, said Cloutier. To get there, ask yourself these questions:
- How fast did you identify the risks from the time that they started?
- How fast did you come to risk resolution (agreement with the business)?
- How fast did you close that risk?
- Did you impact the enterprise risk measurement?
TIP 10: Risk management is often about balancing risk and opportunity
“Risk and opportunity are two sides of the same coin,” said Taylor noting that security can sometimes be close-minded saying that we can’t accept that risk. “In some cases you can say, ‘We can accept that risk and that gives us the opportunity and ability to exploit that situation.”
Risk management is only downside risk. That’s where infosec operates. Conversely, business leaders deal with upside risk every day, noted Cowperthwaite.
TIP 11: Use the KISS (Keep It Simple) Principle
Don’t try to numerically quantify risk-based security management. There’s a belief that risk-based security management can be boiled down to numbers and that you can quantify the risk and compute the annualized loss, said Ellis.
“Well, I expect I could lose this much money. So if I spend this much resources then I can mitigate it by this percentage and that was a good investment,” mimicked Ellis of this common approach. “That belief stems from the fact that there are risk disciplines like that.”
While Ellis thinks this might work for fraud and petty theft, he doesn’t believe it will ever work for general information security because of the qualitative variables.
The desire to quantify is understandable since a lot of risk speakers at conferences are from the financial services area, noted Taylor.
TIP 12: Don’t overstate impact of risk in terms of the business
“Security and risk management professionals have convinced ourselves that our business counterparts just don’t understand what we do. Clearly if they understood, they would agree with us,” laughed Cowperthwaite of this admittedly very dangerous thinking.
“Information security people get hung up on their own information security risks without realizing that the real impact of the other risks is far greater,” said Taylor noting that other business-centric risks such as the economic climate and what’s going on with the Euro have stronger continuous impact on the business.
Cowperthwaite boiled it down to very obvious numbers. His health organization is a $12.5 billion business that just made an affiliate agreement with a $3 billion company.
“That’s a $3 billion bet. That’s our biggest risk right now. Cybercrime is not a $3 billion risk,” said Cowperthwaite. Look at the T.J.Maxx breach, that cost them $256 million. It’s bad, but not at the same level as this business risk.
“This is where we have to be conscientious about educating in an honest way about the impact. Don’t try to tell them how big or small the deal is. Just tell them what it is,” said Cowperthwaite.
“With the exception of a data warehouse catastrophe, there is almost no information security risk here at Nationwide that comes anywhere near matching our other enterprise risks around the markets, around natural disasters,” said Herath who admitted a single hurricane can cost them $400 million.
TIP 13: Define your process and make it repeatable and fast
Risk management must be a business process dictated at the corporate level and it has to be a non-option, said Cloutier. At ADP, their risk management process is centralized, clearly defined, consistent, predictable, and fair across all business units.
Similarly, at Nationwide, every application put into production goes through a security certification and accreditation process where it’s given a risk-assessed grade of low, medium, high, or severe, said Herath.
As you’re defining your process, make sure to be speedy, because as Cloutier noted, “The most painful thing about risk assessment is risk assessment itself.”
TIP 14: Get input on how well you’re doing
While Cowperthwaite’s team surveys business leaders on what information they think is important, they also ask how well they think the infosec team is doing to protect it.
Answers to that question can greatly change the risk profile, said Cowperthwaite. For example, when they asked how important cybercrime was, it was listed, by importance, in the middle of the pack of 40 issues. But when they asked the business how well they thought they were doing to protect against cybercrime, they didn’t think it was going so well so the issue moved up in importance.
CONCLUSION and TIP 15: Getting better at risk management requires building trust and confidence over time
In order for a security-based risk management strategy to be successful, it is clear that we need to better align our security efforts with the goals of the business. That partnership with our business counterparts is crucial to the success and advancement of our careers. “Our livelihood depends on trust and confidence,” said Cloutier.
“You have to build up a bank of goodwill and it’s a continuous process,” said Taylor. “You’re all working towards the same goal. You’re all trying to hit the same targets and you’re just trying to help them out and help them achieve those targets.”
And that confidence and trust is built over time and by listening to the needs of the business. “We have to demonstrate that you can make the business succeed,” noted Ellis.
What’s your TIP 16, 17, 18…?
There are so many more security experts and many more tips for risk management that we couldn’t fit into this article. Please help us make this a fantastic resource that everyone can use to improve their risk management practice. Add your tips to the comments below, or even debate the tips we already have here. Thank you in advance for participating.
Cross-posted from Tripwire's State of Security