The transition from an “it’s all about security and protecting the crown jewels” to “we need to mitigate risk and embrace risk management” is a crucial step next step for the information security profession.
Leslie K. Lambert
www.csoonline.com | Dec 27, 2018
A few weeks ago, I spoke at the 2018 SecTor Conference. The ensuing Q&A on the concept of risk soon evolved into a discussion on whether “risk” has become a four-letter word. The kind we’re taught to avoid using in polite company.
Many information security professionals are now embracing the word and concept of risk to elevate their responsibilities and budget requests for business and even board level consideration. The transition from an “it’s all about security and protecting the crown jewels” to “we need to mitigate risk and embrace risk management” is a crucial step next step for the information security profession. Despite the reality, some of us struggle with the word “risk”.
So why is there so much anxiety in infosec circles about this four-letter word?
One reason may be that in many organizations, the mere mention of the word, or better, the concept of risk, conjures up concerns they may not want to know about, acknowledge, or want to sweep under the proverbial rug. This reaction may be related to the fact that the organization is unable to effectively manage risk. In these cases, the organization may not be aware of what risks and consequences they are facing, or they have clearly defined what risk means to them. This may be due to a lack of organizational maturity, including that of key personnel.
In some companies, discussions about risk may be few and far between — especially when the concept is just not a part of the organizational vernacular. This can be due to a lack of clear ownership for risk management activities or appropriate governance processes. These conditions are far more troubling for publicly traded companies, and especially those operating in regulated industries.
Risk management starts with senior management
Without effective leadership from executives, difficulties will arise due to a basic lack of information and understanding of roles and responsibilities. For example, uncovering new risks may lead to a lot of extra work. In some organizations, individuals responsible for carrying it out will not get credit, or may be penalized for the costs and delays incurred. Also, it may be determined that risk mitigation costs are too high, and would take away from previously funded projects.
To complicate matters, prevention is no longer the answer. Overall, organizations are having less success in stopping attacks now than ever before. To adapt, a strong internal understanding of risk is needed, including what it means to the organization and how to successfully mitigate it. What’s critical for organizations to remember is that effectively responding to and managing a security incident is just as important as trying to prevent it in the first place.
As a result, security professionals need to evolve their role as traditional domain experts to business leaders responsible for managing risk, protecting the brand, and upholding customer trust.
This requires a technology agenda focused on delivering a superior user experience to drive growth, as well as manage information risks to operations, profits, IP reputation and customer trust. It also means security should be positioned as an enabler, not an inhibitor. Being aware of risks and mitigating them are not one and the same. It’s important to recognize the dichotomy of knowing, versus doing.
Taking a business-level view of security
For example, risk is determined by considering the likelihood that vulnerabilities will be exploited and what impact the outcome will have on valuable assets. This risk analysis enables businesses to prepare for and mitigate emerging threats. Yet in practice, even the most seasoned executives and managers often fail to put in place risk management strategies that anticipate future threats and plans for addressing them.
Often the risks that have the biggest impact on a business are those organizations are least prepared to handle, suggesting that most companies do not plan well for unknown threats. These require well developed crisis management and communications planning including scenario analysis and red teaming.
The traditional three-step approach to risk management below should be table stakes for security executives:
- Map – know where the data is, its footprint and location
- Monitor – data, user accounts, entities that you are “watching”
- Mitigate – managing what needs to be managed
Moving beyond the concept of risk as a four-letter word requires a business level view of security as seen through the lens of executive management and the board of directors. From this vantage point, risk management is a continuum that spans prevention and response, and whose goal is to limit the operational, financial and brand loyalty impacts of security incidents on the organization.