Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

CSI Speakers Offer Advice On Risk Assessment, Reporting

Security professionals must not be able to only evaluate risk, but also report it in a way top executives can understand, experts say

WASHINGTON, D.C. -- CSI Annual Conference 2009 -- It's the question only a top-level business manager can ask -- the question all security managers have come to dread.

"How secure are we?"

Nearly every security professional must answer questions like this from time to time -- questions that simultaneously ask about the risk of critical data loss and the real value of security processes, technology, and personnel. At the Computer Security Institute's annual conference here this week, several speakers offered advice on measuring security risks and communicating those risks to top-level managers and executives.

"The operative problem is that you can't really accurately measure security status," said Christopher Michael, director of information assurance at defense contractor BAE Systems. "There's no truly accurate way to do it. But you have to do something to help show risks and benefits because the business demands it."

Bill Mann, senior vice president of security product strategy at CA, offered similar advice in his CSI presentation. "Security people tend to be exact -- they want everything to be 100 percent," he said. "But when you're reporting to upper management, you need to put it out there -- without worrying about everything being perfect."

The key when conveying risks and benefits to top executives, Mann said, is to speak in terms they will understand. "You can't talk about packets," he said. "These guys think in spreadsheets. They think about things like 'impact' and 'likelihood.' Give them some idea of the risk, then give them some options for mitigating them."

Before security professionals approach their management, they must understand the risk themselves, said Rafal Los, senior security consultant for HP's Application Security Center, in his CSI presentation.

"As technology people, we often chase the things that seem to be the biggest risk -- the things that are the most innovative -- without really doing an analysis of the actual risk," Los said. "In most cases, it's not something new, but your legacy systems that pose the highest overall risk right now. It's the things that came before you, but that nobody's looked at for a long time, that you should worry about. Too often, we hyperfocus on new, cool hacks that will never happen, rather than the legacy systems."

In other cases, enterprises may fail to update their risk stance to reflect changes in time or world events. Executives at security vendor NetWitness frequently stated that enterprises and government agencies are preparing for the "cyber threat of 1995" without taking into account the formidable capabilities of today's organized criminals and foreign governments.

"We estimate that there are currently 100 countries that have cyberwar capabilities today, and many of them are more advanced than the organized criminal groups we talk so much about in the security space," said Eddie Schwartz, CSO of NetWitness, in an interview at CSI. "But most companies don't account for that in their security strategies. A lot of companies don't understand the risks associated with contractors or social networking. Most companies still focus on compliance and prevention, but they're fighting a losing battle. We need to rethink the risk equation."

There are many methods for calculating risk, the speakers noted. BAE's Michael recommended the NIST risk management framework, which outlines methods for analyzing the potential impact of a breach, selecting and implementing controls, assessing and monitoring their effectiveness, and reporting residual risk.

The key is creating metrics that can be quantitatively tracked over time, Michael said. He recommended creating a "security risk register," in which the owners of each security-related process identify metrics for that process, including the likelihood of compromise and the consequences of such a compromise.

"Once you have that in place, then the managers can decide which ones are important to them," Michael said. Management may even choose to rank the processes with a quantitative score, which helps the security team focus on those that pose the highest risks. Security teams can also perform a gap analysis for each process, estimating current security status against the highest possible security status for that process, he said.

Compliance is one of the easier security metrics to measure because there are standards to be measured against, Michael said. Cost reduction -- such as the implementation of a self-service password reset process -- and cost avoidance, such as a reduction in breaches, might also be measurable in a way that appeals to management.

But Los cautioned that all mathematical risk models must be tailored to fit the organization's priorities and business models. "There are many mathematical risk management risk models, but 90 percent of them don't apply to the people who are reading them," Los said. "Risk is a company-specific issue. You have to set your own standards for it."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31922
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
CVE-2021-32051
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
CVE-2021-32615
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
CVE-2021-33026
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
CVE-2021-31876
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...