It’s always about the money

crumpled_bill[1].rI live in a fairly straightforward world, I guess. I’m often accused of being naive but I’d argue I feel enlightened. Put bluntly, I think risk is always about money.

This has to do with my education from Douglas Hubbard. When I hear nebulous problems I know that I can use the methods of Enrico Fermi to decompose them by asking Fermi questions. Most people think this too simplistic for their complicated world, but I’ll side with the Nobel prize winner on this one thank-you-very-much.

I often have to answer for my position when I stoically say that reputation can be measured in dollars. “But Jack,” folks will say, “its so hard to measure that.” I disagree. Why does anyone care about reputation? Well, for businesses, its about the ability to retain and acquire business. For whatever scenario you are analyzing, make some calibrated estimates of how much business you are likely to loose (use ranges) and suddenly you’ve applied some really complicated quantitative methods in a very practical and straightforward manner.

So I was having a discussion about control automation and the reasons organizations spend money on just such a thing. Now, since my worldview on this is that risk = money, it was straightforward for me. Organizations automate controls in order to save money. The howling in protest was fierce. “Jack,” they said, “automation speeds things up so the answer must be efficiency.” “Why do we care about being efficient?” I countered. “Jack, automation also reduces errors, so effectiveness is the answer,” said another. “Why do we care about being effective?” I countered again. Indeed, in all aspects of risk, the answer can be boiled down to money. I want to be faster so I can have the same resources do more work, saving me the cost of buying more. I want to be more effective so that I don’t have more loss events, saving me the cost of responding to them. The other common argument I hear is to blame regulators or auditors, as in “we need to automate to satisfy the auditors.” Once again decomposition helps us analyze this approach–why do we need to satisfy them?

When presented with these sorts of questions I come clean and admit that money drives risk and priorities. We spend money on things we care about, and we spend money to avoid losing money elsewhere. There are countless examples of us using money as a measure of time as well, as in how much would you spend to avoid waiting in line at Disney World? Turns out, there is a service where you can pay to pay someone to wait in line for you, making your holiday that much more pleasurable (although I think its only open to celebrity visitors–and priced for them as well).

Its not cynical, its enlightened. Once you accept this basic premise, all your “hard” problems get that much more easier to model.

Substituting Risk Tolerances

push-button-receive-baconI hate hand dryers in washrooms. I’m not alone: if Wikipedia is to be believed, 63% of people preferred paper towels over hand dryers in restrooms. I’d wager the other 37% choose what they thought was the right answer. Each time I use them, I always end up with cold, wet hands and if I’m forced to stand in front of them, water all over my clothes. I try to stand to the side and I one time watched the blower fling water all the way across the restroom–no small feat. Surely that wet, slick floor I left behind creates a terrible safety hazard. Heck, there is even a dispute about how much more environmentally friendly they are (if full cost environmental impact accounting is to be believed). My problem stems from the simple fact that they largely fail at their stated purpose, that of drying my hands quickly.

So if they are mostly hated, then why do companies implement them? Well, to put it bluntly it’s not like you are going to shop somewhere else because they have hand dryers there. If studies are to believed then I guess companies can save 99% of the cost of paper towels in a single year.

So what does this have to do with risk? Hand dryers (to me at least) are a clear case of substituting risk tolerances. Allow me to explain. When you are done washing your hands, your primary goal is to dry your hands and get out of there as quickly as you can. You are probably not thinking about saving the world with your hand drying choice or even saving money for the business you are at. Your priority here (I often equate priorities with risk) is in direct conflict with the host company. In fact, if its your employer that has the hand dryer, then it means they’d rather you stand there for some indeterminable time until your hands are dry versus getting back to your post as quickly as possible. Okay so may you save a minute or two (I think most people just give up and wipe their hands on their pants, defeating the purpose), but multiply that by how many trips per day times how many people and its no small investment (I used to work with process engineers that thought about stuff like this all the time).

You may be thinking that I’m neurotic about this, and you may be right, but when you think about risk constantly like me you start to see it everywhere. And the hand dryer scenario is not unique. While waiting in line at IKEA at closing time one night, someone in our party asked why they didn’t open up more lanes. The answer is simple–what’s the odds that after spending the last couple hours shopping and schlepping your purchases to the sole closing-time cashier that you would abandon them and sacrifice the last few hours of your life. Slim to none I’d say. Here too is a risk-based decision. They are accepting marginal dissatisfaction in order to save some money on a second or third cashier.

These sorts of trade-offs happen all the time and we hardly notice them. Usually they involve discounting the value of time–yours and mine–in favor of cost avoidance. I try and make these scenarios plain in my mind. I want to know when the value of my time has been discounted. I have less personal tolerance for my time being wasting and I often seek out scenarios where I pay a premium to have more personal time in my life.

How often has your personal risk tolerances been violated without your explicit knowledge? Perhaps its time to manage your resources better…

Private Sector Cyberwar – part 2

I wrote about this last May, namely that so-called cyberwar events are not for the domain of the private sector to defend against. I made an argument that cyberwar perpetrators are in the upper percentiles of attackers (95% +) and that outside of building our organization’s control strength up to that level, let’s just leave cyberwar to governments.

With that a backdrop, I was fascinated by this article that identifies that this exact thing I outlined was actually happening. The bank BB&T has sought help from the government in warding off DDoS attacks believed to be from state-sponsored attackers. This line in particular seemed to reflect my posture on these types of attacks:

“BB&T…and others now say they have spent millions in warding off the attacks and can’t be expected to fend off such attacks from another government.”

If I read between the lines, they have spent a lot of money to raise their control strength, however against attackers in the 95th percentile, its just really outside of their responsibility to defend against it. Like in warfare of earlier times, its time for the generals to step up and keep the farms of the countryside from being destroyed lest they be unable to feed their armies in times of need.

How Security, Audit, and Risk should work together

My article on the role of audit and risk was published in the ISSA Journal this past October 2012. If you didn’t catch it then, you can find it here.

I began this article with a question, when did IT auditing become a profession. With that in mind, I want back to the original version of COBIT to find the answers. This led me down a familiar path: basically that I really don’t want audit doing risk. They will always feel compelled to provide a level of priority, which I would argue is always a statement of risk, but leave risk ranking to those groups that are expert at it.

Be the person on the phone

So I purchased some of those curly cue light bulbs (CFLs), but as I am prone to do, I got the wrong ones (the base wasn’t right). Also like I always do, I bought the giant big box store pack, so it made sense for me to return them. So my family and I roll up to the <big box warehouse store> and I head for the customer service desk. I make pleasantries with the Lady Behind the Counter and inform her of my desire to return these bulbs for a refund. She takes the package, looks it over, and asks where the Sticker is. Its at this moment, were this an 80s high school movie, that some DJ somewhere would cause the record to scratch. For you see, I had no such Sticker on my packaging. I so informed her, and she was exasperated. The greeter at the door was to interrupt my ingress, inquire about the returned merchandise in my hand, tag it with the Sticker and direct me to the customer service desk. Not having done so, there was no way they could possibly know that I didn’t take this off the shelf and walk directly to the desk to perpetrate some fraud.

“We’ll have to check the videotape,” she said.

At this point, I too was exasperated. I attempted to explain that I purchased this and showed her my receipt. She waved over the greeter who was unable to recognize me from the myriad throngs of people that had been so “greeted.” The Lady Behind the Counter began making calls up the ranks. My wife asks if I would like her and my daughter to wait.

“Oh yes,” I say, “having my family nearby makes me look less like a criminal.”

I hear the half conversation over the phone where the Lady Behind the Counter says, “Uh, $16. Oh, okay,” and then hangs up. “We’ll accept it this time, but next time…”

I’ve turned this exchange over in my head countless times since. How could they have authenticated me better? What sort of losses from this threat vector have they incurred that caused them to implement this program? I never had to get a sticker on my returns from the <big box warehouse store> back in Central Ohio…

I’ve used this story several times since as an illustration of the distinction between auditors and risk professionals. It is absolutely critical that somebody be in charge of checking tickets. You need a ticket to get into the show, or in my case a Sticker. The policy says you need a Sticker, so a Sticker is what’s required. It’s also critical that the person at the door check incoming merchandise and apply a Sticker. The former is the auditor the latter is more akin to IT operations. But what of the person on the phone? Ah! They were the risk manager you see. They understood that a policy violation occurred despite my having a valid receipt and a relatively honest looking face. They could have checked my purchase history to see that I spend A LOT of money at their establishment. Sure, they had video of the incident, but for $16, everyone had better things to do. That is a risk-based decision. That’s just being a human being in a room otherwise full of automatons and making a judgement call that there are better things to spent our finite resources on than less than $20 worth of light bulbs that I likely really did purchase.

This is why the notion of something called a “risk-based audit” is somewhat anathema to me. Sure, please do check controls in areas where there is risk in the business, but that will quickly give rise to the causality dilemma commonly referred to as a chicken or the egg scenario: if the audit is meant to reveal high risk areas, then how could we possibly use risk as in input to scoping the audit (which is the premise of the risk-based audit)?

To bring this back home, let me say that I absolutely want and need somebody issuing and checking tickets at the door. But I’d never mistake them for risk managers. And if you wish to progress in your careers as IT risk professionals, try being the person on the other end of that phone call, and stop sweating the small stuff because somebody’s probably trying to run off with a new TV while your squabbling over light bulbs.

Security is an Empty Gun

There is a point where a security exception ceases to be an exception and becomes the rule. Its at times like these that the information security department can swagger in and lay down the law. Put simply, security makes the rest of the business comport to its will, and if push comes to shove security can pull out its piece and compel the action it desires…or else!

Except its the “or else” thats really the problem. Like a modern day Barney Fife, Information Security has no bullets in its gun (we may have some in our breast pocket though-only to be used for emergencies).

This gun metaphor is very helpful for understanding two things about the practice of information security today. First (and obviously) there are the overt violent overtones associated with the imagery above. If we reflect on the perception of security over the past several decades, it’s clear that its viewed as an aggressor. Its a perception that is well earned–keeping things and people safe is by necessity an aggressive career choice, only to be undertaken by those enveloped with machismo. Except in the corporate world this approach is misplaced. Its reminiscent of the over-enthusiastic mall cop, or the former New York City police officer that is now a corporate physical security guard. And this metaphor too is an important lesson in the way information security could be perceived if misapplied (which reminds me of this scene from Goldeneye).

Adapting to the new reality of risk-based security means relinquishing the controls-based security approach that is endemic to the mall cop metaphor above. Which brings me to my second point: If we pull the trigger of that gun, the infecundity of controls-based information security is made plain for all to see. Simply saying “no” to new technology is not an act of machismo anymore; its an act of suicide. Its oftentimes denying the business the very thing it needs to survive. Whether it be cloud, mobile, social media, or BYOD, the modern IT landscape is ripe with opportunities for information security to enable top-line growth, or at the very least to reduce the bottom line. Like the stick-up artist that engenders such fear with its pistol, information security has the ability to effect change, just so long as it doesn’t actually shoot anyone. Hinting at the regulatory hammer(s) to which you are subject is the bullet–its just not in your gun.  Instead, partner with the business to protect against the bullet in the FTCs or PCI Council’s gun, lest you drop the hammer on yours and the business hears the emasculating click of an empty chamber.

In order to achieve success in modern information security programs, there must be an emphasis on the soft skills of negotiation and communication. Effectively communicating a risk scenario using a mature risk taxonomy (one that allows you to communicate threats, control deficiencies, vulnerability, and losses) gives risk decision makers the ability to execute a well-informed decision. And that, after all, is what information security is really all about: enabling decision makers with the information they need to determine if a risk is worth taking.

And now, “Looking Down the Barrel of A Gun” by The Beastie Boys. Apropos.

RIP MCA