I have had the opportunity to work as both an information security and risk management leader. Through this process I have come to believe that one of the biggest failings of infosec is our position as a gatekeeper for projects. A move toward a relativistic risk management approach can significantly improve organizational security.
Traditionally, information security has been a gatekeeper. There will be a information security review of an initiative, with some kind of result that boils down to “pass” or “fail.” The review may be a manual review of a project by a security analyst, a vulnerability scan run against a new application, static code analysis performed against some source code, or a questionnaire that’s completed and reviewed. Whatever shape the review takes, there will be a result which is either a stamp of approval or rejection. This process turns security into a binary function. A system is either secure or it is not, with no middle ground. This does not accurately reflect reality.
In addition to turning security into a false dilemma, it also imparts far too much power to the information security team. They are forced into making significant business decisions that should be decided by senior business leaders. Should that application enhancement be released? Should a that new web solution be turned on? In the traditional security model these types of decisions may be in the hands of a security professional who may understand the security impact, but not the revenue, reputational, legal or other impacts of the decision.
Rather than this binary information security model, I believe the right solution is a risk management focus, where our review results are not a 1 or a 0, it is a risk spectrum from which we report the relative risk of a particular initiative. That risk rating is provided to our customers in order to empower them to make a business decision.
We can still use those same review touch-points (manual reviews, vulnerability scans), but instead of an output of yes or no, we assign the risk a likelihood and impact. The product of those elements becomes the risk score, and that score must be communicated to the appropriate business owner to make a risk management decision (Do they mitigate the risk? Avoid it? Accept it?).
Risk Management focused security empowers the business to make better decisions
If you are a security person and concerned that security is losing power with this model, don’t be. You are still creating the risk score for these reviews, and your judgment is critical to this process. In fact, this shift allows you to provide unfiltered feedback on the risk of the project without the need to soften things, to give a “passing grade” like we may feel in the traditional model. And really, is the ability to say "no" all the helpful? Being the Department of No sets us up as the enemy, and encourages people to seek ways to circumvent us. In addition, in those high profile cases where security does say ‘no’ to releasing an important product or enhancement, the business may very well overrule us anyway. By providing the security review in a risk management format the security professionals are filling the role they are best suited for (evaluating security) and the business can weigh risk versus reward.
Another benefit to the risk management approach to security is that the result of the security assessment can and should be reviewed later. The risk should also be stored in a risk register where it can be reviewed periodically to determine whether the likelihood or impact of the risk has changed significantly. A risk that may have been considered low impact may become a much bigger deal if the type of data stored changes. Or the likelihood of an exploitation would dramatically increase if a system goes from the private network to the internet. In the old binary security world we are likely to lose track of these types of changes.
The implementation of a risk management focused information security program not only increases the security of the organization, it increases the collaboration between security and other technical stakeholders, frees up security to do what it does best (instead of making business decisions) and improves the organization’s risk awareness.
Cross-posted from Information Security from Robb Reck.