There are certain specialties that appear to be so simple from a laymen’s point of view that one can’t help but wonder the harm in doing the job themselves. But the idiom “a little knowledge is a dangerous thing” originated for a reason. Unfortunately, it is all too often capably illustrated in organizational risk management practices.
The last time that I tried plumbing, for instance, I reasoned that it’s really just a bunch of piping and whatever is going to go on one end or the other. But, actually it's much more. Ask my plumber.
More Than Just Security
Information security is that very kind of specialty and risk assessments are, in fact, much more than a random list of possible threats to be managed.
Nevertheless, information security frequently receives so little due as to find itself lumped in among the many competing responsibilities assigned to information technology leadership. According to the PwC 2012 Global State of Security Survey, no more than 45 percent of organizations even have a Chief Information Security Officer (CISO). Evidence of this unfortunate trend was recognizable among the more salient headlines resulting from the Sony PlayStation Network, RSA and LinkedIn breaches.
Yet for those companies that have established CISO roles, according to CSO Online, 40-60 percent report to the CIO despite the ripe potential for conflict of interest resulting from differing priorities.
For example, suppose a CIO is charged with the implementation of a multi-million dollar business partner’s highly visible solution. Should the business partner’s support requirements necessitate the approval of all environment security patches prior to their implementation, it's quite possible that organizational patch management standards will come into conflict. How likely is the CIO to recommend to senior leadership that the implementation be halted pending corrective action? Would the concern constitute a high, medium or low risk? It may very well depend on who you ask.
Risk Assessment Practices
Risk assessment best practices are commonly grounded in National Institute of Standards and Technology (NIST) Special Publication 800-30 methodologies wherein threat identification is weighed against the probability of its realization and anticipated impact to determine overall risk rating.
Though high, medium and low ratings are traditionally employed throughout the process, despite various models for quantifying each, ultimately the appropriate selection is most often based on a considered understanding of the factors involved including both relevant business requirements and the affecting threat environment.
As such, in the provided example, the CIO or other business leaders in response to the hypothetical request to halt the implementation pending corrective action may say that the risk of un-patched mission critical system components constitutes a low risk due to a combination of the many other enterprise security controls in use and the significance of the identified business need.
It is also possible that they may wish to assign a medium risk given consideration of the aforementioned influences and theoretical doubts concerning the probability of a realized security incident resulting from un-patched environment vulnerabilities. A third possibility still is that the issue would be considered a high risk which should be monitored, though the implementation itself should not be halted. The trouble is that each ranking may very well be correct, but the reasoning leading to it and the resulting strategic response flawed.
The difficulty in assessing this and other organizational risks is to sufficiently analyze the vulnerability and its probability of impact to the organization so as to assign appropriate ranking and mitigation efforts. While business, technical and operational factors should be taken into account, over-estimating the effectiveness of enterprise security controls or underestimating the probability of exploit is truly dangerous.
Third-Party Assessments are Key
While experienced and empowered information security and internal audit professionals can work in cooperation with business leaders to dramatically improve the quality of organizational risk management, the use of a qualified third-party is also highly recommended. Benefits of third-party risk assessment commonly include:
- Results that are not influenced by intra-organizational interests
- Independent verification of risk management efforts
- Actionable direction based on cross-industry knowledge and experience
In the end, understanding that information security and risk management are indeed specialties is a valuable lesson. But knowing that lesser efforts tend to produce lesser results can avert costly repercussions. Ask my plumber.
Editor's Note: There are other articles by Peter Spier you might enjoy: