Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


CSI Speakers Offer Advice On Risk Assessment, Reporting

Security professionals must not be able to only evaluate risk, but also report it in a way top executives can understand, experts say

WASHINGTON, D.C. -- CSI Annual Conference 2009 -- It's the question only a top-level business manager can ask -- the question all security managers have come to dread.

"How secure are we?"

Nearly every security professional must answer questions like this from time to time -- questions that simultaneously ask about the risk of critical data loss and the real value of security processes, technology, and personnel. At the Computer Security Institute's annual conference here this week, several speakers offered advice on measuring security risks and communicating those risks to top-level managers and executives.

"The operative problem is that you can't really accurately measure security status," said Christopher Michael, director of information assurance at defense contractor BAE Systems. "There's no truly accurate way to do it. But you have to do something to help show risks and benefits because the business demands it."

Bill Mann, senior vice president of security product strategy at CA, offered similar advice in his CSI presentation. "Security people tend to be exact -- they want everything to be 100 percent," he said. "But when you're reporting to upper management, you need to put it out there -- without worrying about everything being perfect."

The key when conveying risks and benefits to top executives, Mann said, is to speak in terms they will understand. "You can't talk about packets," he said. "These guys think in spreadsheets. They think about things like 'impact' and 'likelihood.' Give them some idea of the risk, then give them some options for mitigating them."

Before security professionals approach their management, they must understand the risk themselves, said Rafal Los, senior security consultant for HP's Application Security Center, in his CSI presentation.

"As technology people, we often chase the things that seem to be the biggest risk -- the things that are the most innovative -- without really doing an analysis of the actual risk," Los said. "In most cases, it's not something new, but your legacy systems that pose the highest overall risk right now. It's the things that came before you, but that nobody's looked at for a long time, that you should worry about. Too often, we hyperfocus on new, cool hacks that will never happen, rather than the legacy systems."

In other cases, enterprises may fail to update their risk stance to reflect changes in time or world events. Executives at security vendor NetWitness frequently stated that enterprises and government agencies are preparing for the "cyber threat of 1995" without taking into account the formidable capabilities of today's organized criminals and foreign governments.

"We estimate that there are currently 100 countries that have cyberwar capabilities today, and many of them are more advanced than the organized criminal groups we talk so much about in the security space," said Eddie Schwartz, CSO of NetWitness, in an interview at CSI. "But most companies don't account for that in their security strategies. A lot of companies don't understand the risks associated with contractors or social networking. Most companies still focus on compliance and prevention, but they're fighting a losing battle. We need to rethink the risk equation."

There are many methods for calculating risk, the speakers noted. BAE's Michael recommended the NIST risk management framework, which outlines methods for analyzing the potential impact of a breach, selecting and implementing controls, assessing and monitoring their effectiveness, and reporting residual risk.

The key is creating metrics that can be quantitatively tracked over time, Michael said. He recommended creating a "security risk register," in which the owners of each security-related process identify metrics for that process, including the likelihood of compromise and the consequences of such a compromise.

"Once you have that in place, then the managers can decide which ones are important to them," Michael said. Management may even choose to rank the processes with a quantitative score, which helps the security team focus on those that pose the highest risks. Security teams can also perform a gap analysis for each process, estimating current security status against the highest possible security status for that process, he said.

Compliance is one of the easier security metrics to measure because there are standards to be measured against, Michael said. Cost reduction -- such as the implementation of a self-service password reset process -- and cost avoidance, such as a reduction in breaches, might also be measurable in a way that appeals to management.

But Los cautioned that all mathematical risk models must be tailored to fit the organization's priorities and business models. "There are many mathematical risk management risk models, but 90 percent of them don't apply to the people who are reading them," Los said. "Risk is a company-specific issue. You have to set your own standards for it."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version You can get the update to regularly via the Auto-U...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below We recommend to update to the current version You can get the update to regularly via the Auto-Updater or directly via the download overview. For older versions o...