A CISO should have a good ‘nose’ for risk. Nick Frost, global account manager at the Information Security Forum states this view, and encapsulates why a box ticking approach to information risk management can often fall short.
Donald Rumsfeld, the former Secretary of Defense, is often parodied for his famous “unknown unknowns” comment. When asked, in February 2002, about the Saddam Hussein regime and its putative willingness to provide weapons of mass destruction to Islamic fundamentalist terrorists, he said: “Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend[s] to be the difficult one.”
As a general precept, was this comment so risible? Unknown unknowns are difficult! Similarly, so are so-called ‘black swans’, as discussed in Nassim Nicholas Taleb’s work: those rare events of high impact that are hard to predict.
In recent months, the Icelandic volcano has assumed the form of a black swan in terms of its impact on travelers and (some) businesses. How risky does air travel become in such circumstances? Are you willing, following British Airway’s intrepid Willie Walsh, to take a chance on the ash?
"It is good when the information risk manager is not noticed when he goes on holiday" |
Alessandro Moretti, UBS Investment Bank, Switzerland |
The military has a highly developed risk culture. Interviewed on the UK’s BBC Radio 4 Today program, Major Richard Streatfeild, recently returned from a tour of duty in Afghanistan, commented that adjusting to the very different risk environment of civilian life is a challenge. Obeying the rules of the road, for example, is less of a priority in the upper Sangin Valley than it is in rural Connecticut. Context changes the calibration of risk.
Likelihood and Impact
The ISF’s Nick Frost, who has been running information risk management programs for five or so years, stresses that the discipline is about “understanding the likelihood and impact if there is a breach. And some of the methodologies and tools that are around don’t do that well enough. Organizations need to start off with understanding what information is critical to the business and what is not”.
He attests, looking across the corporate membership of the Information Security Forum, that there has been great progress over the past few years in organizations’ approach to information risk assessment. “There has always been a healthy focus on information risk assessment across ISF members, with many of them embedding their risk assessments within systems development lifecycles and, in particular scoping risk assessments to cover business processes and not just individual systems”.
All of which is aimed at understanding how your particular business works rather than the technology it uses. Who are the key players? Nick Frost emphasizes that performing information risk assessment provides more accurate information on risks, which enables the business to make better informed decisions.
“By scoping information risk assessment programs at the business process level, risk analysts are able to identify and engage the right business people to take part in the overall assessment”. Frost emphasizes that “[while] it might be a great opportunity to engage C-level individuals in an information risk assessment, they may not always understand the practical value of information that’s required for a business process to function, as well as those individuals below the C-level structure – and consequently their contribution may not be as valuable”.
"Throughout the history of our country and other free countries, it is the [unknown unknowns] that tend to be the difficult ones" |
Donald Rumsfeld |
Although information risk management is maturing, it is not quite there yet, says Frost. “Information risk is a little bit behind financial risk in terms of maturity. Information security or information risk functions need to continue focusing and using the business process level to drive information risk assessments to help organizations get to the next level of maturity. A key area that is often untouched in information risk management is risk reporting. There can be a tendency to publish reports for the business containing the raw data from a risk assessment that is typically technical in nature and focuses on what can go wrong if controls are not put in place. Organizations need to start considering reporting opportunities to the business if investment is made to reduce the risks to a more acceptable level”.
Maturity and Titles
What, then, does maturity look like? Frost says organizations with mature information risk management (IRM) practices are typically decentralized, and are often aware of the triggers that initiate reassessment – “for example, macro changes, whether outsourcing, changes in staffing levels, entering new markets or taking part in a joint venture business opportunity; not the latest polymorphic virus! And they are often engaged in forecasting changes in risk profile based on the organization’s business plans.”
Where should information risk sit within a business, and does it require its own job title in senior management? “The ideal interface is when it sits neatly alongside operational risk”, Frost explains. “In practice, risk assessment is very discipline based, so the approach to assessing credit risk is very different to assessing legal risk or information risk – consequently, the idea of using one approach to assess multiple risk types is not highly practical”.
Is IRM a science or art? “If anything it’s an exact art and an inexact science”, he says. It is important to recruit risk managers with a strong business understanding. “You definitely need technical staff on the operational side, but you need a good balance”. Frost confirms that having run information risk management projects for the past five years, “I am seeing big improvements with the creation of information security steering committees and governance committees and broadening the skill set to include more legal and compliance representatives”. It is important that people from HR and legal are there so that they can help explain the typical consequences to the business if there was a breach of confidentiality, integrity or availability of business-critical information.
Risk lists need to be backed up by “good incident data”. Frost says “having a good bank of historical incident data across the organization can help focus the risk assessments on what events have caused the most damage in the past”. However, such lists will not, perforce, itemize ‘black swans’ – high impact, low likelihood: those tend to be unforeseen natural disasters, such as the Icelandic volcano.
As for risk analysis tools, it is, he says “better when they are not over-engineered; organizations need a practical risk assessment tool that is capable of mapping to the level of maturity of an organization that helps to facilitate a risk assessment workshop”.
Balancing Different Stakeholders
Alessandro Moretti, (ISC)² European Advisory Board member, and executive director for IT Security Risk Management at UBS Investment Bank in Switzerland, says information risk management always presents a “complex picture, especially in a large corporate. As stakeholders, you have those who set and control standards; those who implement those; those who look after data protection requirements, and other legal contractual arrangements; compliance officers; and the business owners of information – how it is used and transformed.
“So you get issues around competing business requirements, especially in multi-dimensional organizations. You have what the business wants to do and what control setters want to do. The information risk manager’s job is to harmonize these competing demands. It is good when the information risk manager is not noticed when he goes on holiday!”
Foresight
Moretti comments that “people are being more foresighted about what is happening in the threat landscape”. He believes there to be “a maturing of the legal and infosecurity professions, and more cohesion as they work together”. There is also more awareness of emerging threats such as insiders selling data.
“Governments are now acting in a different manner, around banking secrecy, for instance. There is more pressure there, governments wanting to know who is avoiding tax, and so on”.
"When risk management is an integral part of an organization’s ‘go to market’ strategy, a balance is created between the offensive and defensive nature of the company" |
Robert O’Brien, Baronscourt Technology |
Moretti also believes that the infosecurity profession has been behind the curve. “It’s been setting controls according to a security model where point solutions are deployed at entry and exit points. We need to look more at applying security as it traverses the organization, which is the sense of DRM [digital rights management], ensuring [that we] don’t lose the integrity of the data.”
“Historically, we’ve had a parameterized view that derives from the early days of applying security to one computer system. This is not sustainable”.
Moretti agrees with Frost that operational risk management offers pointers, in terms of “root cause and emerging threat analysis”, and that information risk is more closely aligned with that than with financial risk modeling, though the latter is relevant too.
Risk management is especially well developed in the area of disaster recovery, he says. “For example, if you want the organization to be backed up in two days there is x cost associated with that; there will be less of a cost if backed up in three days. DRM science is mature now. So, you will apply thinking such as: ‘this data center is on a green field site today, but what if a chemical plant is established there in 10 years’ time?’”. Banks, such as his, do risk-based scenario planning, “but you have to be careful or else you could be doing it forever”.
“That is where (ISC)² and the ISF come in, where you can start relying on them to help with threat assessments. For example, three to four years ago when you could see that e-banking solutions would become targeted by organized crime”.
He also stresses that “with information risk management there are places where there are no trade off areas”. So a bank would not accept an FSA or ICO fine as a cost of doing business.
Automation
While information risk management cannot be completely nailed using standards or software, much of it, arguably, can. Robert O’Brien director of Baronscourt Technology, draws attention to that which his company offers in compliance automation.
“Our MetaCompliance software deals with key areas of risk management, specifically that of policy and user awareness management. It automates and enforces the sign-up to risk and compliance policies and communications to staff and third-party contractors.
“One key risk management control would be to ensure that staff are aware of the various corporate policies. Furthermore, MetaCompliance will allow measurement of staff awareness to be taken, in order to allow sections of the organization that are not in compliance to be identified. The software can then target remediation to these groups of people in the form of further communication or e-learning”.
What is the ‘art’ of risk management in his view? “When risk management is an integral part of an organization’s ‘go to market’ strategy, a balance is created between the offensive and defensive nature of the company. An offensive strategy is highly geared towards generating sales/revenues, gaining market share or extending market reach. A defensive strategy would detail the considered activities and plans necessary to avoid and manage exposure to the associated risks of the offensive strategy. In some offensive or sales orientated organizations, risk management is not deemed to be sexy or compelling. The ‘art’ involved is based on the leadership function being able to communicate the vision of a mature and well-balanced organization that can take measured risks but has the execution capability to deal with issues as they arrive on the basis of a well thought out risk management plan”.
Whatever the precise role of software and standards, information risk management has to be a matter of judgment, and IT security professionals who can develop skills in this area will be at a premium.
Information security consultant Brian Honan offers risk management advice based on his own experience with clients. “One of the most common issues I come across when helping clients develop their information security program is a lack of proper risk analysis. While many have implemented controls based on common practices, those controls may not be the best suited to protect the information assets concerned. Furthermore, many find it difficult to persuade senior management to invest in more information security controls. Conducting a risk analysis allows you to identify the most appropriate security controls for your environment. Indeed many industry standards, such as the ISO 27001:2005 Information Security Standard, are based on a risk management framework. In addition, as senior management are used to dealing in risk in all areas of the business, presenting your argument in the terms of risk will greatly assist you when seeking their budgetary approval. This change of approach can be quite a challenge for many information security professionals, who by their nature prefer to deal with bits and bytes rather than business terminology. However, fear not, there are a number of excellent resources available to help you understand and manage your information security risk program
|