Skip Links

Why risk management fails in IT

By Richard Stiennon, chief research analyst, IT-Harvest, special to Network World
October 16, 2012 09:25 AM ET

Page 2 of 3

BY THE NUMBERS: Corporate data breach average cost hits $7.2 million

Most organizations give up on the dollar value asset ranking and come up with low-medium-high valuations. Try to picture a team of IT asset managers in a room and one of them agreeing that his job is to manage servers that have little or no value. If there is no value to an IT asset, it has long since been replaced or eliminated. Every IT asset is of high value. So why bother classifying them all?

3. Risk management methods invariably fail to predict the actual disasters.

In the late '90s the automotive industry attempted to apply risk management techniques to product design. The method of choice was a huge spreadsheet template labeled Design Failure Mode Effects Analysis (DFMEA). The product engineers (me) would sit in a room for several days and look at every component -- every fastener, every stamping, every piece of cloth in a car seat -- and decide every possible way each component could fail in the federally mandated tests.

We would generate a huge list of possible failures -- stripped bolt, fatigue crack, buckling, worn nap -- and submit it to upper management who would never look at it. Of course we failed to predict the failures that actually happened in production. You remember the recliner failures on the Saturn car seats?

Another example: A giant financial services data center located on the Gulf Coast of Florida used risk management techniques. Among the usual list -- power failure, Internet outage, fire -- was a line item for a hurricane with a storm surge of greater than 20 feet (the level above sea level of the data center). Because there had not been a single such storm in 100 years this received a risk rating of 9 out of 10, with 10 being the least likely. An FDIC auditor pointed out that in that particular year there had been four such storm surges to hit the Gulf Coast. The data center risk profile had never been revisited to reflect a changing environment.

It is the changing nature of risk that is impacting risk regimes today. IT assets that were not of interest to a pimple-faced 13-year-old hacker in Canada in 1999 can be of extreme interest to a cybercriminal operation in Eastern Europe or a nation-state looking to leapfrog a Western competitor. It is impossible to know beforehand which IT assets will be of interest to an attacker.

4. Risk management devolves to "protect everything."

For risk management to work it has to be comprehensive. So comprehensive protections are deployed. Firewalls, IPS, and AV everywhere and vulnerability management VM systems deployed to check the exposure of every single device on the network. Vulnerability management has to be continuous because new vulnerabilities are announced every month for just about every application, OS and device.

A patch management system is then used to ensure that every application has the latest patch. Risk management methodologies strive for that golden state when no vulnerabilities exist anywhere. And, failing that, the desire is to minimize the total exposure time to new vulnerabilities. Organizations spend an inordinate amount of time and money on these protections. Of course, they still succumb to targeted attacks which use previously unknown vulnerabilities.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News