It's difficult for risk managers to help decision-makers after a risky choice has been made. Unfortunately for many organizations, that's how traditional risk management programs work — and by the time an assessment has been done, the risky decision has already done its damage.
"We all accept certain amounts of risk in order to engage in business, but at what point is risk too much?" asks Tony Martin-Vegue, senior information security risk engineer at Netflix, who discussed the topic at this week's FAIR Conference.
In most companies, a risk management program covers any aspect of a business that takes on risk. Business leaders make a decision and implement it; the risk team then comes in, tests it, and reports issues. The first time a risk manager gets involved is when these problems are put on the risk register, at which point it's too late to help the enterprise decision-makers, he says.
Risk analysis is forecasting, Martin-Vegue explains. Analysts should want to be closer to the CEO, CFO, CIO, and other executives before major decisions are made so they can help make the optimal choice. Netflix has long used quantitative models, including the FAIR model, to make decisions because it puts threats into context and helps explain risk to business execs.
Most companies use the traditional paradigm of rating decisions as high/medium/low or red/yellow/green, he says. While this works for comparing three or four similar items or prioritizing projects, it does little when a security analyst is faced with three red alerts costing $10 million, $15 million, and $20 million each. Which one should they remediate first?
"You don't know," Martin-Vegue says. "You can't make that type of value-at-risk comparison."
Quantitative risk, instead of saying an alert is "high" or "red," will indicate how much exposure the business has. If you know one risk has $200 million in exposure, and you can buy that risk down to $20 million with a $10 million investment, it provides a distinct course of action. If a pen tester has two red alerts, and quantitative analysts reveals one has $10 million of exposure and the other has $50,000 of exposure, it's obvious which should be remediated first, he notes.
"Now you can start to make comparisons using dollars [and] financial people will recognize this as a cost-benefit analysis," he explains. "We're moving out of information security and speaking to the CFO, the CEO, the CIO: 'This is how much your investment can get you. This is how much risk you can buy down.'"
This resonates with executives who are accustomed to speaking in terms of dollars and cents. It's easier to make a security focused-decision when they understand what an investment will get them, as opposed to making a choice based on a high-, medium-, or low-severity alert.
"It's no wonder there's always friction between the business and information security people," says Martin-Vegue. "We're making it hard for them." By framing the risk conversation around exposure, investments, and buying down risk, "people immediately get it, especially on the business side."
Making Big Decisions, from Executives to Practitioners
There are three different levels of risk abstraction that can be used to frame a security risk assessment, says Martin-Vegue, noting he loosely uses the National Institute of Standards and Technology (NIST) risk management framework. These include strategic, tactical, and operational decisions.
Tier one supports strategic decision making; this typically involves major investment decisions made about five years ahead of time. A few examples: How should executives frame a company strategy? Should they transition to the cloud? Should the business put its services in Amazon Web Services or do the hosting themselves? Should they do code development in-house or outsource it?
These are all nontrivial decisions, he says, and they're typically made without a risk analyst who could explain the cost-benefit analysis and ROI analysis of major enterprise strategies.
Tier two supports tactical decision-making for midlevel managers who are considering their initiatives, budget, and head-count planning a year or two ahead of time. Those managers are asking questions such as "Do we employ server virtualization?" "What vendors should we use?" "Can we do a risk analysis on the vendor before we move to the vendor?"
Most organizations hear about a vendor security issue after they've already signed a contract, Martin-Vegue says. This should be on the risk register before the vendor partnership begins.
Tier three supports operational decision-making, which is for individual contributors and their teams. This may include security architects, pen testers, or developers on the business side who design customer-facing web apps. If a coder wants a security control and has a choice between password-only or passwords and multifactor authentication (MFA), which should they choose?
What may seem like an easy investment choice to security practitioners is tougher for business executives. Today's organizations have tight purse strings, and implementing MFA is expensive. Quantitative risk requires security pros to use data to make a case and prove why an investment is worth it.
Operational decision-makers are faced with several choices that can be evaluated with quantitative risk analysis: How do we configure endpoint protection? How do we configure antivirus software? Should we use full disk encryption? How do we configure data loss prevention tools?
Quantitative Risk Modeling: Getting Started
For organizations that want to adopt the FAIR model or other quantitative risk models, Martin-Vegue advises starting slow. Risk analysts don't need to rip out their current model and implement FAIR in a major overhaul. Start with a couple of decisions. Find someone in the organization trying to make a difficult, data-driven choice and help using the quantitative model.
His other tip is a word of caution: "There's a big myth that we have to bust about quantitative risk — there's a perception people have that you need to have perfect historical quantitative data in order to an assessment, and you don't." Martin-Vegue says risk professionals can use the subjective judgment of people within the organization to do a credible assessment.