Should an Information Risk Manager Manage “Risk?”

Great Minds Think Alike

This post will summarize a provocative presentation at the RSA conference on Tuesday by long time security practitioner Donn Parker, and detail a similar approach that IREC has been recommending which we call Controls Maturity Assessment (CMA). We have previously referenced our CMA work in this blog, especially in this post. What is provocative about these approaches is that they both suggest making risk assessment a secondary consideration in your information protection strategy.

Managing the Information Risk Portfolio

First let me say what this is about. This is about the strategy you use to allocate effort and resources across all activities related to information protection. Prioritization. This is not about whether or how you perform a detailed “risk assessment” for a specific target like a server or an application.

(I put “risk assessment” in quotes, as these are often more of a BIA combined with a vulnerability assessment against a set of known vulnerabilities. Since threats and unknown vulnerabilities are poorly understood, it is hard to say this approach results in an assessment of risk.)

Donn Parker’s “Diligence-Based, Positive Security Method”

If you missed Donn’s RSA presentation, you can get a good idea of his thinking from these articles:

  • Making The Case for Replacing Risk Based Security ISSA Journal, May 2006
  • A Diligence-Based Idealized Security Review ISSA Journal, January 2008
  • Positive and Negative Security Methods ISSA Journal, December 2009

Donn objects to the typical Security approach of using FUD and risk assessment results to communicate with senior executives for reasons including:

  • Executives resent or can’t handle this sort of “negative” information
  • Business risk and information risk are so different-in-kind that it is misleading to business people to talk about information risk
  • Information risk assessments are so completely inaccurate that it is wrong to place your trust in the results

From his 2006 article:

I claim that security based on risk management, risk reduction, and risk assessment is a failed concept. I am not alone in this claim. A majority of CISOs at a 2003 Gantner security conference also claimed that risk assessment is a failed method of making security decisions according to an article in ComputerWorld.

Instead, Donn suggests you combine your regulatory compliance needs and a view of your peers’ controls to establish a level of security “diligence”. In other words, a minimum level of strength or “maturity” of your controls. Donn suggests setting your control strength at the high end of the benchmark of your peers. Controls can be selected from a framework like ISO 27002.

When presenting to senior executives, he suggests you graphically present your activities as your control strength versus that of your peers. In the example in his 2008 article above, he displays this as a bar graph for the 11 top level domains of ISO 27002. This is a “positive” view of security activities that he argues is more persuasive with senior executives.

Controls Maturity Assessment

We agree with Donn that risk quantification is unlikely to be sufficiently accurate for strategic decision making. And while we don’t know if the “positive” and “negative” aspects of senior executive communication are correct, we do know that our members who report to senior executives by talking about a set of benchmarked control strengths specified in a standard like ISO 2700X or NIST 800-53 report excellent success.

Where we disagree with Donn:

1) Donn describes an informal benchmarking against a small number of peer organizations. IREC has developed a comprehensive control measurement tool (we call it the Controls Maturity Benchmarking Service), that allows for concrete measurement of controls maturity, and we think the more peers you can compare yourself to, and the more concretely you can make the comparison, the better.

2) We think that while ISO and NIST are great security frameworks, they do not speak in business-friendly language. We suggest you aggregate your control strength up to high-level, business-friendly terms relevant to your audience, as in the following example:

Business-friendly control benchmark

Click for larger

3) We think that benchmarking against peers is a good way to present your information protection status and make the case for further investments, but we do not think it is the primary way you should make investment decisions internally. As your mom said, “if all the other kids jumped off a cliff, would you?”

What we have done is to collect a set of security outcome metrics along with measures of control strength. When you then add some statistics, you can identify the relative power of different controls to improve those security outcomes. In other words, is it better to invest in capacity management, or end-user awareness? But what is even more powerful, is that you can identify the “sweet spot” for the maturity of a given control:

Sigmoidal relationship between control maturity and security outcomes

Click for larger

When you do these statistics, you find that for many controls, there are diminishing returns from investing in high levels of maturity. And perhaps more surprisingly, for many controls there is a significant foundational level of maturity required that–by itself–doesn’t provide security, but is necessary before getting to a level of maturity that does improve security. We call these the “table stakes” for a control.

IREC members can learn more about how our CMA survey process works here, non-members should contact us for more information.

Great Minds Like a Think

A) Attentive readers may ask whether our endorsement of the CMA approach doesn’t contradict our earlier post criticizing standardized security recommendations? No, it doesn’t. The standardized control approach we criticized is adhering to lists of one-size-fits-all, specific controls. In the CMA approach, you are adjusting the overall strength/maturity of a type of control, and you tailor the specific controls employed to your organization’s needs, including a consideration of your infrastructure, vulnerabilities, threat environment, etc.

B) Unfortunately, some form of risk quantification is the most popular way to make prioritization decisions.

Explore posts in the same categories: Communication, Risk Management, Strategic Planning

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: