For those of you that have taken steps to build a security risk management program, sooner or later you will come to the point where you have to start quantifying risk in some meaningful way. This is important because the board and other executives of the company have seen the latest security stories in the news and the Fear, Uncertainty and Doubt that goes with them. They are examining and questioning how you are protecting them. So here are ten qualities to assess your choices against.
(Also, if you want to skip to the bottom line, I’ve given you my recommendations at the end).
1. It should start with the simplest of equations and be easy to understand
This is important for a variety of reasons, but people can understand simple. Einstein’s ‘E=MC2’ is the perfect example of this and it leads to his quote “Make things as simple as possible, but not simpler.” The complex calculations underneath and the years it took to figure that out, aren’t going to resonate with the population at large. In the same way, too complex of a starting point will be too great of a hill to overcome to get imbedded in the psyche of the organization. Human nature shows that when it’s difficult to understand and explain, the mental challenge to get started is sufficiently great to bring any momentum to an unceremonious halt.
2. It should be elegant
Building off of high-level simplicity as a starting point, the equation also needs to be effective and constructive, i.e. elegant. An elegant equation would solve multiple problems at once, especially problems not thought to be interrelated (which we’ll discuss in the items below). It should also produce consistent results, no matter who is using it or which way they confront it. This is especially important since not every risk can be measured properly and some variables, such as probabilities of loss, must be ultimately be estimated.
3. It should bridge the gap between security risk and enterprise risk
One of the great challenges for security today is aligning with enterprise risk management. Many organizations don’t have risk officers or risk managers with which to work. Worse, risk-based decisions are rarely made, and the emotions of fear or greed take over depending on the moment, the environment, or the whim of the executives in charge. When there is some form of enterprise risk management, security risk often falls to the bottom of the list (if it makes it there at all). Therefore, the risk equation that you choose must be able to provide wisdom and guidance for the enterprise/executives to cross that chasm. And yet it must be flexible enough to be altered and incorporated into the most complex of enterprise risk theorems available today. This will allow you to make sure executives buy in to your process so that security risk taking is not dismissed due to their lack of understanding.
4. Expand the discussion beyond audits
Audits are checklist focused. That is, there is a yes or no, right or wrong, in place or not in place checklist where you have to choose a binary answer. Auditors know controls. And while the ability to include controls from the various regulations is an important factor in a risk equation, executives are not interested in them on the whole unless they have to be (thus the audit). If you’re going to go between executive management, security, risk management, and audit, you’ll need to appease all, but stand for something. This will improve the ability of the organization to communicate regarding their compliance and security issues, as ultimately an organization’s upper management decides—based on the goals as a whole—how much risk to take on. This isn’t something for security professionals to hold the risk and decide in a vacuum.
5. It should be able to help you politically and personally
This is a tall order for any calculation…help you politically and personally? How’s it going to do that? Well, for you to get your point across and improve your standing with other executives, you’re going to have to connect with them in their heads and hearts. Remember, people make decisions intellectually but they buy in to your ideas emotionally. If it is easy to understand from a 10,000-foot level, it can be used to lead the discussion with executives in a way that protects their pride when they don’t know something. When reporting on risk, if you start with the simple and move to the complex, they’ll be able to follow and ask good questions. Those questions will help them understand that ultimately risk decisions are up to them and that they need someone like you to give them the straight scoop. In the new era of big data, decisionable data will win the day for you and them, and they’ll be complimenting you for it!
6. Ideally, it would be cost effective
Initially, using or implementing a risk equation into your framework should not be more expensive than the security budget itself! Typically, fixing everything in security or adding in every control under the sun is not feasible, and this may be the case with many parts of a robust risk framework. As with anything in a company or household, the cheaper it is to get something done, the better chance you have of getting started. With risk equations in general, it ideally could be incorporated into another part of the budget with only an incremental increase. With compliance audits, penetration testing and risk assessment budgets what they are, the entry point for aligning security to risk would be in the same order of magnitude. Really, starting with a risk equation could be only marginally more expensive, or even free, depending on the time you have to dedicate to another endeavor. Ultimately, in order to be effective, any security or risk management program is a process—it doesn’t end. Thus the spending doesn’t end, and when that happens, cost is even a bigger factor than normal.
7. It should be practical
By practical, we mean a risk equation should be doable for the majority of companies out there. It would be fantastic if it takes advantage of what you’re already doing. While most organizations aren’t practicing risk management in their security program, they are practicing security management. Regular assessments of vulnerabilities (through scans and pentests) and controls (through INFOSEC assessments and regulatory checklists) are commonplace. As an industry, we’ve gotten to know those two areas very well over the last five years. Starting with those two variables of a risk equation gives a security program a huge jumpstart over tackling much greater challenges of complexity and cost, as opposed to starting with something like data classification, threat probabilities, or asset values. The downside is of course that these are important things to know for risk management, and in a perfect world you could have these to start. Since few live in a perfect world, starting from practical and moving to ideal is usually a better way to go.
8. It’s defensible
At some point you will be called to the stand to defend yourself and your decisions. From our experience with breaches, 7 out of 10 times when there is a breach, someone gets fired. So before that happens, it would be wise to get the story down of why or why not you did or didn’t do something. While there are many ways to talk yourself out of a bad situation, if you have a quantifiable means of backing up your decisions, it’s going to go a long way toward building your stature and standing. A risk equation, at it’s core, seeks to make risk measurable so it can be managed. That measurement aligns the activities of the security program with the appropriate controls to meet the organization’s strategy and risk limits. In addition, because ISO and NIST and COSO are so well known (and well defended) if the equation or taxonomy is able to be built into some of the standards, it makes it that much easier to hold up to scrutiny.
9. It has a path to grow more specific/accurate as the risk management program matures
To use an analogy, if you just have started cooking, you don’t start off trying to make Baked Alaska. You work your way into it, starting off with scrambled eggs or buttered noodles with an eye on being the Iron Chef. Thus you start with defining risk because you can’t optimize what you haven’t defined. From there, we work into the simple equation or part of the equation, which admitedly is not going to be truly accurate when you start. Then as the risk management program matures, the equation should allow you to trade some simplicity for increased accuracy and explanatory power. It’s this path that makes an equation so powerful. We always want to know where and why we’re taking educated guesses and how much it will cost (in time and effort) to get there. If we need to ramp up or down the level of effort, we’re able to.
10. It should be useful
Last but not least, it should be useful. This is, of course, the most important component of a risk equation. In some way, the equation or taxonomy or ordered categories should enhance an organization’s ability to both assess risk and prevent future attacks or critical incidents. This latter one does tend to get diminished, in that they see the forest, but forget the trees. High level decisioning from strategic consultants often underestimates the burden on the poor security and IT folks that are left having to implement all of this when they have a hard enough time getting their job done as it is. There are only so many controls in a security program. Most security professionals are well aware of the majority of them. With budgets as they are, one typically can’t do them all, so the risk equation must ultimately refine the security program’s controls (i.e. what needs to be done by security professionals based off of risk. Therefore, it should assist in the allocation of capital to its highest and best use by measuring and estimating risk of loss. Ideal world and real world are often at a crossroads,thus the equation you choose.
We at SecureState used this guideline when determining which equations or taxonomies we wanted to align with. After reviewing each one that we’ve come across, we’ve concluded that two are best suited for commercial organizations (one we created) depending on the internal funding and political circumstance they find themselves in: FAIR and iRisk. FAIR (Factor Analysis of Information Risk) is for those that are looking to handle more than just security, and really are looking at risk from a top-down perspective. It’s very robust and comprehensive, and is best when funding and the temperature for security risk management are high or on the upswing. From a bottom up perspective, the iRisk equation for the security-risk focused organizations (or the security group) let’s you start from where you are with activities you are already doing. There’s less investment in both time, money and resources. The tradeoff is that many inputs one would typically see are additive, meaning they’re not baked in from the beginning. They can be added in later (asset value and classification as an example).
While there is a path from iRisk to FAIR, in essence each risk management philosophy is like it’s own religion. It depends on what your motivations are for buying into one or another, what you’re looking to get out of it, what downsides you’re willing to accept to gain the upside. However, once you get religion with one, it’s sometimes tough to keep an open mind about the others. Just having interest, conversations and movement to start the process would be better than the current state most organizations find themselves in.