Using Risk to Justify Security Strategy and Spending

I wrote a piece for RiskLens* recently that talks about how to utilize FAIR for building and justifying an information security budget and strategic initiatives. Its an interesting problem space as there is a need to have the appropriate level of abstraction (program level versus technology level) but its also a very solvable problem to add risk reduction justification to these annual budgetary exercises.

Fun story: one time I did this exercise years ago, I actually rated one initiative as *increasing* risk. It started an interesting discussion but the lesson is that not everything will result in less risk to your organization. Budgeting is a complicated amalgam of math, politics, and priorities; be sure to bolster your budgeting process with some risk arguments.

Click here for the RiskLens article: How CISOs Use FAIR to Set Strategic Priorities for Spending

*I am a professional advisor for RiskLens

A Cooperative Model for Security, Audit, and Risk: A collaborative approach to risk-based audits

Information technology audit is a relatively recent addition to the professional world of auditing. A review of the history of IT audit leads one back to the Electronic Data Processing Auditors Association (EDPAA), which is the forerunner of what would eventually become the Information Systems Audit and Control Association (ISACA)1. Although EDPAA published control objectives in the 1970s, what would eventually become ISACA’s flagship publication (Control Objectives for IT; COBIT) was published in 19962. In large part, this publication defines controls for IT systems, but is grounded in the definitions of controls codified by The Committee of Sponsoring Organizations of the Treadway Commission Internal Control-Integrated Framework (COSO)3. Clearly, IT auditing was happening before these organizations codified the practice as reliance upon IT systems was identified as critical to organizational success. Indeed, the authors of the original COBIT document identifies their impetus for creation thusly:

“In recent years, it has become increasingly evident to regulators, lawmakers, users, and service providers that there is a need for a reference framework for security and control in information technology (IT).”2

Continue reading A Cooperative Model for Security, Audit, and Risk: A collaborative approach to risk-based audits

I want what they’re having

jumpWhen consulting on a security issue, one of the questions that makes me grind my teeth more than any other is some variation of, “What’re our competitors doing?” My initial reaction is always, “Who cares?” Its really just a useless way to think about security and risk.

In my experience, no one asks this question because they are looking for a way to spend more on security, layer in additional controls to reduce fraud, or simply to reduce risk. No, this question is almost always asked as an offensive against perceived unreasonableness by information security. Its a political tool or a negotiating tactic to cause you to back down. Which should be enough of a reason to dismiss it outright, but there is more nuance to this that causes it to be distasteful.

Your IT risk  decision-making is not a commodity market. Sure there are security commodities, however the decision making cannot be outsourced to other organizations. Think about it, what if you dutifully came back with an answer to this question indicating that not only are our competitors doing not just what  you are recommending but significantly more. Their budget for this is 5 times what you were planning to spend.

Would they then immediately write a check for that difference? Offer an apology to you and then shuffle out the door defeated? No, of course not. Nor should they. The risk tolerance, assets, lines of credit, cash flow, customers, budget, product mix, public profile, threat agent action, loss scenario probabilities are not yours. Simply put your competitor’s risk tolerance and appetite is not yours. As a result, you need to make the best decisions you can with the best (quantitative) data that you have at your disposal. Of course you should seek inspiration from various sources, if you can get it. I love the notion that security folks are a chatty sort that dish endlessly about the goings on in their companies. Security professionals should be fired for such action — you don’t want chatty security people working for you. Information sharing regimes, processes, and protocols exist, but data sharing at that level tends to be categorical which isn’t often useful enough to answer the question being posed. There is one exception to my rant however and that is legal. They probably are the ones who would advocate that budgets and controls be increased to reflect the posture of other organizations. Except legal won’t fund anything, so you have to go to the business anyways.

Security is an Empty Gun

There is a point where a security exception ceases to be an exception and becomes the rule. Its at times like these that the information security department can swagger in and lay down the law. Put simply, security makes the rest of the business comport to its will, and if push comes to shove security can pull out its piece and compel the action it desires…or else!

Except its the “or else” thats really the problem. Like a modern day Barney Fife, Information Security has no bullets in its gun (we may have some in our breast pocket though-only to be used for emergencies).

This gun metaphor is very helpful for understanding two things about the practice of information security today. First (and obviously) there are the overt violent overtones associated with the imagery above. If we reflect on the perception of security over the past several decades, it’s clear that its viewed as an aggressor. Its a perception that is well earned–keeping things and people safe is by necessity an aggressive career choice, only to be undertaken by those enveloped with machismo. Except in the corporate world this approach is misplaced. Its reminiscent of the over-enthusiastic mall cop, or the former New York City police officer that is now a corporate physical security guard. And this metaphor too is an important lesson in the way information security could be perceived if misapplied (which reminds me of this scene from Goldeneye).

Adapting to the new reality of risk-based security means relinquishing the controls-based security approach that is endemic to the mall cop metaphor above. Which brings me to my second point: If we pull the trigger of that gun, the infecundity of controls-based information security is made plain for all to see. Simply saying “no” to new technology is not an act of machismo anymore; its an act of suicide. Its oftentimes denying the business the very thing it needs to survive. Whether it be cloud, mobile, social media, or BYOD, the modern IT landscape is ripe with opportunities for information security to enable top-line growth, or at the very least to reduce the bottom line. Like the stick-up artist that engenders such fear with its pistol, information security has the ability to effect change, just so long as it doesn’t actually shoot anyone. Hinting at the regulatory hammer(s) to which you are subject is the bullet–its just not in your gun.  Instead, partner with the business to protect against the bullet in the FTCs or PCI Council’s gun, lest you drop the hammer on yours and the business hears the emasculating click of an empty chamber.

In order to achieve success in modern information security programs, there must be an emphasis on the soft skills of negotiation and communication. Effectively communicating a risk scenario using a mature risk taxonomy (one that allows you to communicate threats, control deficiencies, vulnerability, and losses) gives risk decision makers the ability to execute a well-informed decision. And that, after all, is what information security is really all about: enabling decision makers with the information they need to determine if a risk is worth taking.

And now, “Looking Down the Barrel of A Gun” by The Beastie Boys. Apropos.

RIP MCA