Using Risk to Justify Security Strategy and Spending

I wrote a piece for RiskLens* recently that talks about how to utilize FAIR for building and justifying an information security budget and strategic initiatives. Its an interesting problem space as there is a need to have the appropriate level of abstraction (program level versus technology level) but its also a very solvable problem to add risk reduction justification to these annual budgetary exercises.

Fun story: one time I did this exercise years ago, I actually rated one initiative as *increasing* risk. It started an interesting discussion but the lesson is that not everything will result in less risk to your organization. Budgeting is a complicated amalgam of math, politics, and priorities; be sure to bolster your budgeting process with some risk arguments.

Click here for the RiskLens article: How CISOs Use FAIR to Set Strategic Priorities for Spending

*I am a professional advisor for RiskLens

Zanshin Risk Management

I really enjoyed Bruce Schneier’s recent post on Code Yellow. It inspired me to write about it in the context of personal self defense (and its parallels to the Japanese term zanshin).

I disagree with Bruce’s opinion that being in Code Yellow generally is a bad thing (at least, that’s the impression I got from his piece). Like much in life, there is a balance between seeing danger in every shadow and being alert and aware in our daily lives. For instance, how many people are not living in the moment due to the smartphones in their pockets and what are they missing out on? What danger are they placing themselves in?

Cybersecurity can have a similar problem: jumping at those shadows can be dangerous, but not acknowledging that there could be danger in that shadow can be just as bad as many attacks are dependent upon catching the victim unawares. It does take practice however to strike the balance between paranoia and alertness, but its one that must be worked at. Organizations with a mature risk management function can successfully negotiate the trade off of conducting their business and not drowning in losses. Being “In Yellow” really is the job of the risk function of an organization; its the equivalent of that voice in your head reminding you of the bad things that could happen so that you can make a well-informed decision.

DeVry Charlotte 2014 Commencement Address

On 27 June 2014, I delivered the Commencement Address to the graduating class at DeVry University Charlotte. I was honored to be asked by Dr. Regina Campbell. I didn’t post the address here previously, but I talk about risk so I thought it might be interesting to my followers here. Enjoy!


Thank you to Dr. Campbell for inviting me here today and thank you to the faculty, administration, and staff of the DeVry University Charlotte Campus for the warm welcome they have extended to me. Congratulations to all of today’s graduates, their parents, families, spouses, partners, significant others and all the other recalcitrant folk you managed to bring to today’s proceedings. But seriously, we should all be enormously proud of our graduates today. They join an ever-growing body of DeVry alumni across this nation, Canada, the Caribbean, and other parts of the world that have benefited from the uniquely DeVry experience and how it enhances their careers. I know a little something about this group as I have been honored to have been made a DeVry alumnus three times in my life–and my wife a DeVry alumna twice. All of which means that I’ve had the opportunity to sit where you are now several times and as a result, I know there is truth in the old joke about there being two kinds of commencement speeches: short and bad. As for me, I plan for this one to be short, however I’m also sure that no one plans to deliver a boring commencement address, which may very well account for my knowledge of both the masculine and feminine forms of the Latin noun “alumnus” so well (thank you Wikipedia).

There are several time-honored traditions in American commencement address giving that I am obliged to follow. The first I’ll call the Pronouncement of the State of the Real World. It will come as no surprise to you that we live in a rapidly changing world where our lives and fortunes rise and fall with the technological innovations we love and love to hate. Navigating a career in this environment is nothing short of a lifetime commitment. A recent publication by the Business Insider reported on the most in-demand college majors. The four that topped the list (in order) were Business, Computer and Information Sciences, Engineering, and Health Professions, the sum total of which comprised 82% of new demand. If you’ve identified those as majors that DeVry focuses on and has so prepared you for, you get to get a diploma today, or sometimes later in the mail, as the case may be.

Continue reading DeVry Charlotte 2014 Commencement Address

I want what they’re having

jumpWhen consulting on a security issue, one of the questions that makes me grind my teeth more than any other is some variation of, “What’re our competitors doing?” My initial reaction is always, “Who cares?” Its really just a useless way to think about security and risk.

In my experience, no one asks this question because they are looking for a way to spend more on security, layer in additional controls to reduce fraud, or simply to reduce risk. No, this question is almost always asked as an offensive against perceived unreasonableness by information security. Its a political tool or a negotiating tactic to cause you to back down. Which should be enough of a reason to dismiss it outright, but there is more nuance to this that causes it to be distasteful.

Your IT risk  decision-making is not a commodity market. Sure there are security commodities, however the decision making cannot be outsourced to other organizations. Think about it, what if you dutifully came back with an answer to this question indicating that not only are our competitors doing not just what  you are recommending but significantly more. Their budget for this is 5 times what you were planning to spend.

Would they then immediately write a check for that difference? Offer an apology to you and then shuffle out the door defeated? No, of course not. Nor should they. The risk tolerance, assets, lines of credit, cash flow, customers, budget, product mix, public profile, threat agent action, loss scenario probabilities are not yours. Simply put your competitor’s risk tolerance and appetite is not yours. As a result, you need to make the best decisions you can with the best (quantitative) data that you have at your disposal. Of course you should seek inspiration from various sources, if you can get it. I love the notion that security folks are a chatty sort that dish endlessly about the goings on in their companies. Security professionals should be fired for such action — you don’t want chatty security people working for you. Information sharing regimes, processes, and protocols exist, but data sharing at that level tends to be categorical which isn’t often useful enough to answer the question being posed. There is one exception to my rant however and that is legal. They probably are the ones who would advocate that budgets and controls be increased to reflect the posture of other organizations. Except legal won’t fund anything, so you have to go to the business anyways.