This is a counterpoint to the Network World article "Why risk management fails in IT" by Richard Stiennon, chief research analyst at IT-Harvest.
Earlier this week Richard Stiennon published an article that questions the value of risk management in IT, and I would argue that, although risk management presents challenges to IT, best practice-driven approaches leveraging aspects of risk management are essential to good security.
Stiennon's perspective reflects the prevailing view in the media -- supported by valid industry statistics -- that IT security is losing the war against the bad guys. Data breaches are front page news and companies are being fined millions of dollars for losing personal information. Given we have been fighting this battle for so long, we must have made some progress, right?
SECURITY ROUNDTABLE: See it, protect it, control it
THE OTHER SIDE: Why risk management fails in IT
We can definitely say we have. The fact is, IT security is becoming more sophisticated. It is a journey and, while we have a way to go, there is definite progress toward repeatable, best practice-driven approaches that have been used in other aspects of risk management.
IT security doesn't have the number-crunching abilities of financial risk modeling or broad history of market data to throw into Monte Carlo simulations. Other risk disciplines have data that over the years has led to refined mathematical, quantitative methods. Will IT security ever get there? We seem to be making significant progress. Consider:
* Identification of assets is achievable. One of the first tasks in risk management when it comes to IT security is to know what you need to protect. This is a significant challenge and, with the proliferation of devices, it seems an insurmountable task. However, technologies are addressing the "find the needle in the stack of needles" problem and identify where important data is flowing out of or into the organization and where it ends up. For example, data loss prevention technologies continue to expand their scope, accuracy and capabilities.
Some perspective is useful when looking at progress against this problem. Will an organization have an absolute list of every desktop, laptop, mobile device, router, switch, database and widget in the entire IT universe? No. But can an organization find where personal information, credit cards, key research and development plans and other jewels of the company live? Absolutely. Today.
A large technology company launched an initiative to find credit card data. A DLP scan across its file servers found 30,000 files spread out over a large, international IT infrastructure. With a combination of technologies and processes, the company cataloged these data assets, identified owners, contacted them, remediated and secured the data. This wasn't a multi-year effort; it was a multi-week effort. In addition, the company realized how it could do this for other information assets. Lo and behold, the company not only secured the loose change across the file servers, it determined how to find and secure the bags of money as well.
* Value to the business can be determined. The second challenge, once your key assets are identified, is assigning a business value. In some cases we may have to live with a qualitative measure, but in some cases we can get to cold hard cash, or at least an intelligent approximation. This takes some work and getting the right framework in place is critical. For the qualitative measure, business impact analyses on business processes are Step 1. This provides the top-down business value. Bottom-up, the IT department needs to better organize asset catalogs to connect key IT assets to those business processes.
The quantitative approach, Nirvana for most risk managers, can also be achieved. For example, some DLP products can actually tell you how many records of a certain type are in a database. If those records represent a $X/record cost if the data is breached and released, then that database has a specific value from a breach perspective. That database may also have a financial value from a business perspective. Most major internal systems can derive business impact from their "information value" -- the value of the data sitting on, or processed by, the system.
A key component to successfully implementing this is establishing not only the traditional IT asset catalog, but the connection to business impact analysis and business asset catalogs that bring the business context to IT security processes. This is a next-generation IT asset management approach. It isn't just about building a spreadsheet of servers, their MAC addresses, serial numbers, CPU and hard drive specs. Bringing in the data dimension, through DLP or other discovery technologies, along with the business dimension, by actually talking to the business, takes IT asset understanding to a new level.
* Risk management approaches clarify the landscape. To keep it simple, the basic traditional formula for risk is Value of Risk = Likelihood X Impact. If we begin to understand the "Impact" portion of the equation using techniques I just outlined, then "likelihood," represented by some probability, is our next target.
Today's IT security threat landscape is extremely volatile. In fact, the probability of some type of IT security breach is approaching 100%. Most companies absolutely know they have threat actors that are interested in their information. Therefore, we can only hope to reduce the likelihood of their success through intelligent controls design and implementation.
The business impact is a clear differentiator when it comes to designing security controls. Some controls are must-haves and companies already have them in place. IT security needs to evolve where the must-haves are tailored for the business situation.
Detective strategies such as security monitoring and network forensics analysis should be prioritized on those key assets where important, valuable information is living. Protective controls -- encryption, configuration controls, etc. -- should be analyzed and adjusted based on business criticality.
In the example regarding the 30,000 files outlined above, when the technology company found the files, the remediation was based on the business need. Some files were deleted; some were encrypted. Some files were products of business processes that needed more engagement by the security team to adjust the business process to better protect the data.
In the end, business risk management strives to adjust behavior to reduce the impact of threats to business strategies and objectives. In IT security, risk management is the fundamental goal. We understand many of the threats already -- hactivism, criminal elements, nation-state entities, etc. The methods that threat actors utilize continue to evolve and it is an endless battle between security teams and the bad guys. Any analogy will do at this point -- fencing (protect the point areas), chess (protect the king), tiddlywinks ... OK, maybe not every analogy.
My point is that security functions need a risk-based, agile, contextual approach that is core to risk management. IT security is evolving toward risk management-based methods. IT security can be risk-based to know what needs to be done and where; agile to react and adjust based on incoming information; and contextual to not get lost in the ones and zeros and know what security means to the business.
Fundamental risk management approaches are more important now to IT security than ever before. Without a sense of asset acuity and risk-based adjustment of controls, companies will tire of chasing threats around the enterprise and leave themselves open for the "kill shot" that will eventually come.