Risk Management: Asking The Right Questions
In order to make sure an organization's security is properly aligned with risk, it is critical that organizations focus on asking the questions that really matter
One of the main questions we often get asked by organizations is a simple one: WHY? Why do some organizations get compromised and others don't. If we asked this question 15 years ago, the answer would be much simpler. Organizations that were compromised in the 1990's often had obvious vulnerabilities that were not being fixed. One client incident we worked on had unpatched systems, all systems had public IP addresses with default installs, and no security devices in place. The answer to "why" was pretty obvious. Today, answering the question is more difficult.
Organizations are spending significant amount of money on security and still getting compromised. The reason is they are not focused on fixing the highest priority risks to their organization. Before an organization spends an hour of their time or a dollar of their budget for security, they should be able to answer three questions:
More Security Insights
- 10 Steps to Cleaning up Active Directory
- The Active Directory Management and Security You've Always Dreamed of
- Innovations in Integration: Achieving Holistic Rapid Detection and Response
- COBOL in the Big Data Era: A Guide
1) What is the risk?
2) Is it the highest priority risk?
3) Is it the most cost-effective way of reducing the risk?
We studied several organizations that have been compromised and compared them to organizations that are successfully defending their organization. The difference between the two groups became clear when we looked at their security roadmaps.
In the organizations that have been compromised, when we looked at their security roadmaps and asked the three questions for each item on their roadmap, they could not answer it. For organizations that had proper security, they were able to answer these three questions for each item on their twelve month roadmap.
If you want to see how well your organization is aligned with security, ask these three questions for each item in which you are investing resources to improve your security. If you can answer the questions, you are doing the right thing and if you cannot answer the questions, you are behaving like organizations that have been breached.
Dr. Cole is an industry-recognized security expert with over 20 years of hands-on experience. Dr. Cole has experience in information technology with a focus on helping customers identify the right areas of security by building out dynamic defense solutions that protect organizations from advanced threats. Dr. Cole has a master's degree in computer science from NYIT and a doctorate from Pace University, with a concentration in information security. Dr. Cole is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of over 20 patents and is a researcher, writer, and speaker. He is also a member of the Commission on Cyber Security for the 44th President and several executive advisory boards. Dr. Cole is founder of Secure Anchor Consulting in which he provides state of the art security services and expert witness work. He also served as CTO of McAfee and Chief Scientist for Lockheed Martin. Dr. Cole is actively involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS faculty Fellow and course author. Dr. Cole is an executive leader in the industry where he provides cutting-edge cyber security consulting services and leads research and development initiatives to advance the state-of-the-art in information systems security.