Security As Risk Management

Tuesday, October 15, 2013

Robb Reck


I have had the opportunity to work as both an information security and risk management leader. Through this process I have come to believe that one of the biggest failings of infosec is our position as a gatekeeper for projects. A move toward a relativistic risk management approach can significantly improve organizational security.

Traditionally, information security has been a gatekeeper. There will be a information security review of an initiative, with some kind of result that boils down to “pass” or “fail.” The review may be a manual review of a project by a security analyst, a vulnerability scan run against a new application, static code analysis performed against some source code, or a questionnaire that’s completed and reviewed. Whatever shape the review takes, there will be a result which is either a stamp of approval or rejection. This process turns security into a binary function. A system is either secure or it is not, with no middle ground. This does not accurately reflect reality.

In addition to turning security into a false dilemma, it also imparts far too much power to the information security team. They are forced into making significant business decisions that should be decided by senior business leaders. Should that application enhancement be released? Should a that new web solution be turned on? In the traditional security model these types of decisions may be in the hands of a security professional who may understand the security impact, but not the revenue, reputational, legal or other impacts of the decision.

Rather than this binary information security model, I believe the right solution is a risk management focus, where our review results are not a 1 or a 0, it is a risk spectrum from which we report the relative risk of a particular initiative. That risk rating is provided to our customers in order to empower them to make a business decision.

We can still use those same review touch-points (manual reviews, vulnerability scans), but instead of an output of yes or no, we assign the risk a likelihood and impact. The product of those elements becomes the risk score, and that score must be communicated to the appropriate business owner to make a risk management decision (Do they mitigate the risk? Avoid it? Accept it?).

Risk Management focused security empowers the business to make better decisions

If you are a security person and concerned that security is losing power with this model, don’t be. You are still creating the risk score for these reviews, and your judgment is critical to this process. In fact, this shift allows you to provide unfiltered feedback on the risk of the project without the need to soften things, to give a “passing grade” like we may feel in the traditional model. And really, is the ability to say "no" all the helpful? Being the Department of No sets us up as the enemy, and encourages people to seek ways to circumvent us. In addition, in those high profile cases where security does say ‘no’ to releasing an important product or enhancement, the business may very well overrule us anyway. By providing the security review in a risk management format the security professionals are filling the role they are best suited for (evaluating security) and the business can weigh risk versus reward.

Another benefit to the risk management approach to security is that the result of the security assessment can and should be reviewed later. The risk should also be stored in a risk register where it can be reviewed periodically to determine whether the likelihood or impact of the risk has changed significantly. A risk that may have been considered low impact may become a much bigger deal if the type of data stored changes. Or the likelihood of an exploitation would dramatically increase if a system goes from the private network to the internet. In the old binary security world we are likely to lose track of these types of changes.

The implementation of a risk management focused information security program not only increases the security of the organization, it increases the collaboration between security and other technical stakeholders, frees up security to do what it does best (instead of making business decisions) and improves the organization’s risk awareness.

Cross-posted from Information Security from Robb Reck.

Possibly Related Articles:
Enterprise Security
Risk Management
Post Rating I Like this!
Matt Harrison This is a great article that definitely addresses a cultural change that needs to be taking place in Information Security.

All too often Information Security professionals are required to make a "go/no-go" determination on business processes. Without an understanding of all the factors that went into the birth of the new initiative in the first place, this is a recipe for failure.

Information Security professionals need to redefine their job, which should be providing the business executives the information THEY need to make an informed decision.

In order to do that, some sort of Information Security risk scale has be set up as the framework for that organization. That consistency will provide executives with the confidence to act on the information provided.
ihacc4unow ihack For online based problems please contact this email
---> we are a HACK
group out here 2 help you solve problems for you.we hack social networking
emails (yahoo ,gmail ,aol,msn) ,we also hack websites and remove links,hack
phones (whatsapp,textmessages,call logs) we also perform result upgrades,sell
and deploy keylogger,contact us today we are ready to work for the public now , VISIT OUR WEBSITE === WWW. ihacc4u.COM FOR MORE DETAILS
kenley william To manage the risk successfully one should have scum in their projects .With high competition, companies have to develop products faster and innovatively always adding value and greater customer satisfaction. In Scrum, it is important to learn agile through one of the at href="">Agile Training/a> Providers and practice its basic principles which collectively and naturally help in the effective management of risk. As a project manager I follow a SBOK guide from
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.