Doing More Than Paying Risk Management Lip Service
How well does your organization execute on its 'commitment' to guiding security practices through risk management?
While the majority of CISOs may profess a commitment to managing security based on risk management principles, the truth about how they execute on those principles may be a lot more imperfect. The unfortunate reality, say experts, is that many organizations simply pay risk management lip service, but aren't really making security decisions based on risk management metrics.
"It's easy to commit to concepts, but execution depends on something more concrete," says Tim Erlin, director of IT risk and security strategy for Tripwire. "While the idea of managing information security in alignment with business risks is attractive, there's not a lot of guidance or best practice information to inform execution."
More Security Insights
- 10 Steps to Cleaning up Active Directory
- The Active Directory Management and Security You've Always Dreamed of
- Innovations in Integration: Achieving Holistic Rapid Detection and Response
- COBOL in the Big Data Era: A Guide
A study out last week sponsored by Tripwire and conducted by the Ponemon institute found that while 81 percent of security and risk professionals in the U.S. said their organizations have a significant commitment to risk-based security management, less than 30 percent actually have a formal security risk management strategy that is applied consistently across the enterprise.
[Looking for more first steps in moving beyond risk management lip service? See Data Classification Can Boost Risk Management.]
As things stand, organizations could bear more self-examination to start better executing on risk management principles, says Chris Triolo, vice president of professional services for HP's enterprise security products division. He points to the quote from ancient Chinese warrior Sun Tzu as good advice for security pros: "If you know the enemy and know yourself, you need not fear the result of a hundred battles." Unfortunately, most enterprises today focus on the first part of the equation, the adversary, without really understanding their own capabilities.
"Many organizations we talk to don't know themselves," Triolo says. "In other words, what are their critical assets? Where is there sensitive information? What are they trying to protect? These simple questions -- and the answers -- are the first fundamental step in building a risk management program."
However, Triolo says in his work with enterprises he has found that many firms don't know what their critical assets are or where they reside. They often don't have data classification schemes in place to determine the criticality of assets. And even when they do attempt to keep track of assets, they're also dependent on incomplete lists of servers and resources that are kept on out-of-date spreadsheets that need to be updated manually, he says.
"If organizations haven't addressed these fundamental aspects, then they are probably paying lip service to risk management because how could you do so otherwise?" he says.
Many organizations that have a hard time doing more than simply paying lip service to risk management could be experiencing two of the most common gaps of IT security, says Erlin: a measurement gap and a comprehension gap. These two gaps do a lot to prevent organizations from managing security based on business risk, he says.
"Between the CISO and the rest of the business, there's a comprehension gap; security doesn't speak in terms that the business understands," Erlin says. "The CISO, while trying to bridge this gap, can't actually measure what matters within information security. That measurement gap prevents the CISO from delivering real reporting on the performance of his organization."
Even between the info sec team and the rest of IT operations is room for misunderstanding of risk appetite when there's no formal system established to measure risk and frame it around prioritization of security activities.
"A common issue in many organizations that I have seen is where the infosec team runs a vulnerability or Web application scan and reports the items requiring remediation, but the team responsible for remediation argues that the CVSS score is inaccurate, the vulnerability is not a factor in their system, etc.," says Larry Slobodzian, senior solutions engineer for LockPath. "The infosec team then has to either prove that the vulnerability is exploitable, fight a political battle to convince management, or simply ignore a vulnerability that may or may not pose a threat."
So where can organizations start in order to mature their risk management practices beyond lip service? A key first step is by defining risk and the organization's appetite for risk.
"With any vulnerability where risk acceptance is recommended, there is a policy written by a collaboration of the infosec team and managers responsible for remediation, and signed by executive leadership, defining the process and parameters for accepting risk," says Slobodzian, who recommends potentially developing a policy that requires vulnerabilities be analyzed using something like the DREAD (damage, reproducibility, exploitability, affected users, and discoverability) analysis methodology, finding a way to measure the full effect of a particular risk on the organization.
Additionally, says Torsten George, vice president of worldwide marketing, products, and support for Agiliance, organizations should also consider creating a common risk nomenclature or risk catalogs to integrate IT security risk into the overall enterprise risk management schema. The team in charge of creating such a catalog should include risk managers, security managers, and business unit executives. From there organizations should be looking to harmonize tools so that risk management and security management tools are working better together.
"Risk management problems often arise because business operations and IT teams have access to different information and tools," George says.
In fact, this tools mismatch could well be a symptom of greater problems -- namely, that risk is defined simply in terms of compliance and security posture, but not according to the business criticality of the asset at risk. No matter what system the organization uses to define risk, it should be considering the asset at play, George says.
"Without a clear understanding of the business criticality that an asset represents to an organization, an organization is unable to prioritize remediation efforts," he says. "A risk-driven approach addresses compliance and security posture as well as business impact to increase operational efficiency, improve assessment accuracy, reduce attack surfaces, and improve investment decision-making."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.