New models that help firms assess security risks are starting to gain traction.
“How do you take a risk, have five people take a look at it, and have a consistent measure of what it might cost the business?” asks Greg Avesian, vice-president of enterprise IT security at Textron Inc. It’s not a rhetorical question: The US$10 billion conglomerate, based in Providence, R.I., recently embraced the risk-based security model, and quantifying the potential damages of various threats is one of the discipline’s major challenges.
In the IT arena, security spending has traditionally been tactical, even scatter-shot, with a rationale difficult to pin down beyond a vague idea that — to take a cue from Emil Faber, founder of Faber College of Animal House fame — Security Is Good.
The risk-based security model is an effort to change that. “Organizations are beginning to deal with risk coherently,” says Chris Byrnes, an analyst at Gartner Inc. “Rather than viewing infosec as an island, they’re looking across a broader set of risks.”
The risk-based model can be a big win for the enterprise because it directs spending where it’s needed most, resulting in stronger security. But IT groups are struggling to master the challenges of the still-new concept.
In the risk-based model, IT and security managers work with business units to identify the biggest threats to the business and then set priorities for security investments. In essence, this model is a cost-benefit analysis to ensure that the security budget is spent wisely.
Clearly, then, the risk-based security model is a logical outcome of the tightening bond between business priorities and technology expenditures. Just as portfolio management and other disciplines tie IT spending to the most productive business initiatives, risk-based security prioritizes spending by the potential damage of various threats.
At Textron, “we looked at [risk-based security] because, like everybody else, we’ve got a finite amount to spend on risk mitigation,” Avesian says. The new model, he adds, “has helped us develop a consistent framework when evaluating risk, and it’s forcing us to think more strategically.”
The company has long emphasized process, and views the risk-based model as a complement to its efforts to comply with the Sarbanes-Oxley Act and its devotion to both the Six Sigma quality-control methodology and Control Objectives for Information and Related Technology (Cobit), a set of best practices for IT management.
Sarbanes-Oxley and Cobit each introduced robust controls, Avesian says, while Textron’s Six Sigma history taught it to standardize processes wherever possible — which, in turn, entailed measuring progress on that standardization. Indeed, Textron has a resident Six Sigma Black Belt (a rare level of expertise) who is the company’s risk-based “process owner.”
Analysts and security managers say the growing importance of regulatory compliance has encouraged the adoption of risk-based security. Many demands of Sarbanes-Oxley, the Health Insurance Portability and Accountability Act and other regulations not only help companies become aware of security risks they may have overlooked, but also dictate controls to plug the holes.
That’s what happened at Canadian Pacific Railway Ltd., a multibillion-dollar business with about 8,500 SAP users. In its push to comply with Sarbanes-Oxley (which the company had to follow because it does extensive business with U.S. trading partners), the railway ran Compliance Calculator, a tool from Fremont, Calif.-based Virsa Systems Inc.
According to Margaret Sokolov, SAP security and controls lead at Calgary-based Canadian Pacific, the compliance software demonstrated that “we had some segregation-of-duties issues” that were problematic for both Sarbanes-Oxley compliance and information security.
The security risks that were uncovered involved an area in which most businesses underspend: company insiders. Like most large SAP users, Canadian Pacific has a cadre of “superusers” and subject-matter experts who push SAP development forward. These end users had been granted extraordinary access to data and code so that they could tweak interfaces and processes.
When Virsa flagged this access as a barrier to Sarbanes-Oxley compliance, Sokolov’s team members realized that a severe threat to data security was right under their noses (although Sokolov hastens to add that the company found no evidence whatsoever of wrong-doing). Prompted by Virsa, the railroad closed the vulnerability with a series of controls. Now, when SAP superusers set out to alter code in an unusual way, a note about the activity is automatically sent to their managers. Afterward, a complete log of the activity is also sent for review and approval.
“This was a case where [compliance software] made us aware that we needed to direct additional spending toward an inside risk,” Sokolov says.
THE ROLE OF IT
Adopting risk-based security is not only inexpensive; properly implemented, it also cuts costs two ways in the long term. First, fewer dollars flow to security efforts in which risks are low. And second, the additional money spent to reduce high-impact risks can save an organization enormous sums by preventing lawsuits, safeguarding proprietary information and, in the case of publicly traded companies, averting negative publicity, which can pummel stock prices.
While risk-based security may remove a certain amount of control from IT’s hands, the IT group has a substantial role to play. According to Forrester Research Inc. analyst Michael Rasmussen, understanding and assessing various IT risks “generates a mountain of data that needs to be translated into meaningful information.” Forrester suggests that IT groups implement risk dashboards and risk indicators such as intrusion-detection systems to effect this translation.
According to Rasmussen, several vendors are beta-testing risk dashboards, while “some organizations use SMTP applications to develop them internally.” A fully operational dashboard, he adds, will include systems monitoring and server status functionality, as well as automated alerts for exceptions. The presentation layer will be customized depending on the end user — a senior business executive may see only a red-light/green-light indicator on his home page, while IT staffers would of course see much more detail.
In the early stages of a shift to risk-based security, IT must also conduct an inventory of all technology assets and then assign a value to each — one of the trickiest phases of the process. This is where ephemeral fears must be turned into hard data.
Questions include, “What is the fiscal impact if a given system goes down?” and “What’s the fiscal impact if data integrity or confidentiality is compromised?” The answers must address not only short-term transactional problems but also the effects on customer loyalty and stock value.
Gartner’s Byrnes says it’s vital that business process owners be involved in this stage. Says Avesian, “I spent six months last year finding a single person in each [of Textron’s 20-plus units] to serve as a focal point for security assessments.” He has formed a 25-member IT risk management team that meets monthly and is part of Textron’s formal governance process.
IT must also play a strong role when controls are being assessed and written. That’s hardly new, but in risk-based security, there’s a twist. In the past, once the need for a control was established, IT would simply be sent off to create it, with little attention paid to the price tag. But any control, from an improved firewall to an appropriate-use policy, has an associated cost. Under the risk-based model, these costs must be closely matched to the potential fiscal impact of the risk.
PINNING DOWN THE NUMBERS
For IT, the challenges of the risk-based security model are as familiar as they are thorny. For starters, the CIO or security officer must establish an ongoing relationship with key business units, for fact-finding and to stay abreast of changing risks. Moreover, the essential need is to quantify that which may resist quantification; assigning a risk factor, and in particular loss estimates, to a new product or partnership is hardly an exact science.
One aspect of the risk-based model may take some getting used to for IT: as information security ceases to be a stand-alone entity and is instead absorbed into the larger risk picture, responsibility for it may be pulled from the technology group. “We believe 30 per cent of [Gartner’s] client base has taken infosec away from the CIO,” Byrnes says.
Indeed, the most advanced form of risk-based security, dubbed enterprise risk management, is being pushed hard by the large auditing firms. Many businesses that have gone whole-hog into ERM (including virtually all financial services companies, according to Byrnes) have named chief risk officers who report to the CEO or even the board of directors.
Tim Maletic, information services security officer at Grand Rapids, Mich.-based Priority Health, is part of a team mulling a move to risk-based security. But he remains unconvinced of the feasibility of assigning an accurate cost figure to various threats. “In a general way, spending your [security] dollars where you can get the most protection is just sensible,” he says. “And that’s what we’re doing.”
As an example, he points to the health care company’s recent implementation of Cupertino, Calif.-based ArcSight Inc.’s Enterprise Security Manager application. The ESM package compiles and simplifies reports from firewalls, intrusion-detection systems, and antispyware and antispam software, and thus is “the next logical step,” Maletic says.
And even though ArcSight has indeed helped him spend his security budget where it’s needed most — especially where staffing is concerned — Maletic is skeptical about a grand concept that claims to quantify all security risks.
He’s not the only skeptic. Risk-based security, while an appealing idea, appears to demand a level of governance and cooperation with business units that’s rare in the day-to-day roller derby of operational IT.
In search of methodology
Risk-based security cries out for a standardized approach to risk assessment.
To date, the closest thing to a leader in this nascent field is from Carnegie Mellon University’s Software Engineering Institute.
Operationally Critical Threat, Asset and Vulnerability Evaluation, or OCTAVE, is a self-directed methodology you can use to determine your risk exposure in the context of business activities and priorities. OCTAVE’s creators say the system can be used to accomplish the following:
? Identify information assets, vulnerabilities and threats
? Protect data both tactically and strategically
? Set up an internal assessment team
? Provide the risk assessments demanded by HIPAA, Sarbanes-Oxley and other regulations While none of the businesses interviewed for this article use OCTAVE today, all say it’s on their radar screens as the top risk-based security methodology.
Gartner analyst Chris Byrnes agrees with that assessment. He adds that if OCTAVE has a weak point, it’s that “you need an advanced, sophisticated governance model in place to really get the most out of it.” Thus, the businesses that need OCTAVE the most may be those that are least able to take advantage of it.
—Ulfelder is a freelance writer in Southboro, Mass. Contact him at firstname.lastname@example.org.