Look risk in the eye

Q: I love the idea of posing much of my purchasing and deployment decisions as risk equations. Having said that, I don’t have the time or expertise in-house to develop those risk models myself. Where can I cheat and filch some risk models already developed that could apply to me?

A: The key is to keep your analysis simple and in terms that management can understand. The problem with many off-the-shelf risk methodologies is that they will require a significant amount of tinkering before they will be right for your particular business. You may be able to fill in some numbers by calling on the experience and expertise of your security team. Then, if you have a good knowledge of your environment, you can make a strong case with some simple calculations.

An example: We expended 1,000 man-hours and US$100,000 dealing with incidents last year–70 percent of those were the result of worms that got into the company as e-mail attachments. We could have eliminated 90 percent of those threats by implementing a tool on our mail server that removes potentially harmful attachments before they ever enter our network. The license will cost us $25,000 per year, and we can manage the solution with existing resources for a negligible cost.

The risk equations you are looking for in this situation are quite simple. Once you make an assumption about the per-hour cost of a worker, say $25, you will have a very strong case to present to management for the purchase of your mail server software.

It is extremely important to keep logs and metrics of security-specific issues so that you will have the information necessary to analyze your specific situation.

Q:What are the current best practices in security reporting structures?

A: If your organization has a separate security team, I have always felt it’s important to keep that team organizationally separate from traditional IT functions. Different organizations have different reporting structures; but, ideally, the top executive responsible for security should be a peer to the CIO. The CSO is, after all, executive management’s subject matter expert on security.

Security touches all areas of the company, not just IT. An effective security organization will require a view over the entire organization along with the authority to create policies and conduct awareness training for all employees.

It is critically important, though, to maintain a good relationship with the IT functions in order to provide effective security. That’s where a security team can leverage its role as subject matter expert. Act as a resource for systems administrators who need to harden their systems. Educate developers to develop secure software. Assist in the development of secure solutions to enable a mobile workforce. The key is to maintain independence, while enabling–not blocking–solutions. The result will be an organization that recognizes security as an integral component to its success.

Q: How does one present risks in a concise manner to senior executives–CIOs and above?

A: The key is to present risk as a business decision requiring action. You will probably do more harm than good in attempting to frighten a budget out of senior management by pointing to all the dire consequences associated with a particular risk. Instead, using knowledge, experience, published statistics and even some guesswork, provide management with an assessment of the magnitude of the risk and a menu of options for solving the problem. The menu should include the cost and “residual risk” of each mitigation strategy. Residual risk is simply the risk left over once you’ve implemented your solution.

It is up to management to determine exactly how much risk the company can afford to accept. It may very well be the case that senior management is comfortable with a $100,000 exposure. The security expert provides value with his analysis because it reduces the problem to the type of business decision that management is used to making every day.

The job of the security team is to enable intelligent corporate decisions regarding security. Business is a series of trade-offs, and presenting risk in terms of those trade-offs demystifies security decisions and results in a cost-effective set of controls.