Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

CSI Speakers Offer Advice On Risk Assessment, Reporting

Security professionals must not be able to only evaluate risk, but also report it in a way top executives can understand, experts say

WASHINGTON, D.C. -- CSI Annual Conference 2009 -- It's the question only a top-level business manager can ask -- the question all security managers have come to dread.

"How secure are we?"

Nearly every security professional must answer questions like this from time to time -- questions that simultaneously ask about the risk of critical data loss and the real value of security processes, technology, and personnel. At the Computer Security Institute's annual conference here this week, several speakers offered advice on measuring security risks and communicating those risks to top-level managers and executives.

"The operative problem is that you can't really accurately measure security status," said Christopher Michael, director of information assurance at defense contractor BAE Systems. "There's no truly accurate way to do it. But you have to do something to help show risks and benefits because the business demands it."

Bill Mann, senior vice president of security product strategy at CA, offered similar advice in his CSI presentation. "Security people tend to be exact -- they want everything to be 100 percent," he said. "But when you're reporting to upper management, you need to put it out there -- without worrying about everything being perfect."

The key when conveying risks and benefits to top executives, Mann said, is to speak in terms they will understand. "You can't talk about packets," he said. "These guys think in spreadsheets. They think about things like 'impact' and 'likelihood.' Give them some idea of the risk, then give them some options for mitigating them."

Before security professionals approach their management, they must understand the risk themselves, said Rafal Los, senior security consultant for HP's Application Security Center, in his CSI presentation.

"As technology people, we often chase the things that seem to be the biggest risk -- the things that are the most innovative -- without really doing an analysis of the actual risk," Los said. "In most cases, it's not something new, but your legacy systems that pose the highest overall risk right now. It's the things that came before you, but that nobody's looked at for a long time, that you should worry about. Too often, we hyperfocus on new, cool hacks that will never happen, rather than the legacy systems."

In other cases, enterprises may fail to update their risk stance to reflect changes in time or world events. Executives at security vendor NetWitness frequently stated that enterprises and government agencies are preparing for the "cyber threat of 1995" without taking into account the formidable capabilities of today's organized criminals and foreign governments.

"We estimate that there are currently 100 countries that have cyberwar capabilities today, and many of them are more advanced than the organized criminal groups we talk so much about in the security space," said Eddie Schwartz, CSO of NetWitness, in an interview at CSI. "But most companies don't account for that in their security strategies. A lot of companies don't understand the risks associated with contractors or social networking. Most companies still focus on compliance and prevention, but they're fighting a losing battle. We need to rethink the risk equation."

There are many methods for calculating risk, the speakers noted. BAE's Michael recommended the NIST risk management framework, which outlines methods for analyzing the potential impact of a breach, selecting and implementing controls, assessing and monitoring their effectiveness, and reporting residual risk.

The key is creating metrics that can be quantitatively tracked over time, Michael said. He recommended creating a "security risk register," in which the owners of each security-related process identify metrics for that process, including the likelihood of compromise and the consequences of such a compromise.

"Once you have that in place, then the managers can decide which ones are important to them," Michael said. Management may even choose to rank the processes with a quantitative score, which helps the security team focus on those that pose the highest risks. Security teams can also perform a gap analysis for each process, estimating current security status against the highest possible security status for that process, he said.

Compliance is one of the easier security metrics to measure because there are standards to be measured against, Michael said. Cost reduction -- such as the implementation of a self-service password reset process -- and cost avoidance, such as a reduction in breaches, might also be measurable in a way that appeals to management.

But Los cautioned that all mathematical risk models must be tailored to fit the organization's priorities and business models. "There are many mathematical risk management risk models, but 90 percent of them don't apply to the people who are reading them," Los said. "Risk is a company-specific issue. You have to set your own standards for it."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32823
PUBLISHED: 2021-06-24
In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with &lt...
CVE-2021-35041
PUBLISHED: 2021-06-24
The blockchain node in FISCO-BCOS V2.7.2 may have a bug when dealing with unformatted packet and lead to a crash. A malicious node can send a packet continuously. The packet is in an incorrect format and cannot be decoded by the node correctly. As a result, the node may consume the memory sustainabl...
CVE-2021-2322
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
CVE-2021-20019
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
CVE-2021-21809
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.