Skip Links

Secure360: The failure of risk management

By George V. Hulme, CSO
May 11, 2012 10:05 AM ET

CSO - IT security and risk professionals who attended the 7th Annual Secure360 Conference earlier this week at the St. Paul River Center in Saint Paul, Minnesota certainly heard a startling earful as the show kicked-off: If they're not managing risk right in their organization, they may, in fact, be the biggest risk their organization faces.

7 steps to effective risk management

"What's your single biggest risk? It's that your risk assessment method doesn't actually work," said keynoter Douglas Hubbard, founder of Hubbard Decision Research and author of the book "The Failure of Risk Management: Why It's Broken and How to Fix It."

Hubbard detailed how empirical analysis tends to be overlooked too often when measuring organizational risk, and when it is used, it's applied to the wrong sets of problems. And, those conducting quantifiable risk assessments often feel more confident in their decisions, even when their decisions could be qualified as having poor outcomes. This overconfidence in risk and management was certainly present in the security survey CSO conducted along with PwC last year, when survey respondents vastly overestimated the maturity of their own security programs.

Most organizations today are still grappling with basic IT security blocking and tackling. And many speakers at the conference advised attendees to get back and to focus on the basics of securing their enterprises even as they move to cloud. For example, in his talk, "Cloud Security," David Mortman, chief security officer at cloud infrastructure management provider enStratus, stressed that enterprises weren't going to be struggling with new issues as they moved to cloud, but rather new ways of looking at longstanding challenges such as logging, access control, firewall rule management, key and certificate management. "Things like simple access control in the cloud can be problematic. The access control cloud providers make available just don't provide the granularity many organizations need. So you have to think through how you are going to handle access control before you move to cloud in a substantial way," Mortman said.

In his talk, "Seeing through the Clouds: Tactics to deal with Limited Cloud Visibility," Mike Rothman, president of independent research firm Securosis, told attendees to focus on many of the basic aspects of cloud security, with a specific focus on Web application security.

The Web application security practices also looked quite similar to practices organizations probably should have been doing for some time with their traditional applications, but probably haven't. Some of the security practices just as relevant in cloud as in on-premise environments include maintaining a secure development lifecycle, continued security assessments of their applications running in production and in development, deploying web application firewalls, and having proper change management controls in place throughout application lifecycles.

"Cloud doesn't make any of the challenges you have today magically disappear. It'll simplify some things, but other aspects of security management stay the same," Rothman said. "In many ways, it's back to the future with cloud security. However, in other ways because of how open and available cloud can be, not doing the right things can lead to more pain if you're sloppy," he said.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News