Risk Management evolved essentially from the insurance industry. Most pundits agree that it started to gain momentum as a broader business practice in the 1970’s and 80’s. About the time, AS/NZS 4360 (Australian and New Zealand Standard for Risk Management) was first published in late 1995 was the first I was hearing and seeing “Risk Management” discussed as a practice within IT (and IT Security). Since then, the term “Risk Management” has been widely bandied about in meetings, boardrooms and between IT professionals when discussing their approaches to managing IT security risks in their organisations. But, is business really managing IT security risks? My blunt assessment of the Australian IT industry – We’re not even close!
Most organisations we see, firstly, don’t have a strategic framework approach to managing IT Security in the enterprise. You’re going nowhere if from the outset you don’t and can’t demonstrate an effective governance layer at the top of your Risk Management strategy. Sure, you may have success in silos / specific projects / certain systems, but from an enterprise perspective, it just doesn’t work. Discussing the layers of methodologies like AS/NZS 4360 becomes a moot point.
Secondly, most CIOs just don’t know what risks their company is exposed to, nor is there pressure placed upon them from the business or the regulatory environment in Australia to be on top of this. Should this be just a “good practice” – a day-to-day part of your overall role? Absolutely! But from our experience, it’s just not happening. If you’re doing it, you’re in the very small minority – but leading the charge.
As a CIO, when was the last time you asked for a report on the current state of security across your entire business environment? Has there ever been one, and if there was, was it done by an unbiased third-party, and what was it measured against? If you were the CFO, wouldn’t you want to know the state of all financial positions and risks in your organisation? As the CIO, the buck stops with you. You don’t want a TJX type disaster hitting your organisation.
IT Security is not a reliance on technology. To often, “technology” is accepted as an organisation’s approach to IT Security Risk Management. The success of any Risk Management program must be based on knowledge. Unfortunately, most organisations fail on both counts. We know, because we see it every day.
So are Risk Management practices, standards and approaches dead? Of course not, they just need to be given a chance and implemented properly.
Amen!
The promotion/education to CxO/Users that Security is not rooted in Technology but in Information can not go far enough right now.
If these CxO’s have their heads in the sand, either out of fear or ignorance, how can one present Security as a Business Enabler?
–Wade
*quote Fred Cohen* http://all.net/
FLAME ON
The thing is – as a society – we (the US at least) is not looking for leaders. We have systematically weeded them out and will not tolerate them any more. We are looking for people who look like leaders but who will assure that the rich get richer and the poor don’t hurt the rich. The idea that ROI in any “rational decision making” approach should be of any import whatsoever to a society is purely ridiculous and any society that has ever existed and took that attitude has perished soon thereafter. ROI is pure foolishness when it comes to safety and security and attempts to reformulate the nature of people and societies into that mold has allowed the delusion to persist. Being as I cannot even get the simplest answer to the simplest sort of valuation question answered consistently by experts from any field, it is patently ridiculous for anyone rational to believe that we can base serious decision-making on it.
FLAME OFF
*end-quote*
D -> Pre-requisite is data/information asset valuation/classification/management. Enumeration of nodes, systems, processes, identities, data at rest/transit etc. One barrier is the ever wider concept of “change management” in *all* aspects of this “liquid” business. We can’t keep throwing the work over the fence and trusting in esoteric elven magic. Distributed content inventories, enterprise rights management etc. I would ask any CIO to describe their full IT footprint, their most important netflows, users and systems – and how the concept of value transits and is stored within their organisation… then the security debate and “risk management” begins.
Or perhaps the below is more apt:
“The starting point for a security thinker is that there will be perforations. In low value systems, the breach will come from neglect. In a high value system, there will be conscious attacks mounted both from without and within, and one must assume that one of these will succeed.
Our art consists in reducing the frequency of such perforations, and – once a breach occurs – minimizing the damage that is done”
Risk Management is ‘gobble-dee-gook’ without the notion of value and some measurements or metrics.
Remember the origins of Risk Management as I alluded to in the insurance business. ie; understanding the subject as a whole, (outside of just the individual – read: not just specific IT projects in our field) and looking at every possible scenario as best you can – acknowledging there are things that you just cannot predict! But those things are consider anomalies. Most CIOs consider any security incident an anomaly at present! Why, because, CEOs are happy to accept that from people they believe know everything about their field.
Risk Management as practiced in the IT Industry FAILS every time on the first point – environmental awareness and understanding. IF YOU DON’T KNOW WHAT IT IS YOU ARE TRYING TO MANAGE THE RISK IN AND FOR, YOU’RE LOST AT THE START.
I find it funny/sad that I hear about company’s risk management strategies almost everyday and almost 99% of the time, you know it fails/has failed as a business strategy at the outset due to these factors! BUT…..it progresses and continues as a leading topic in corporate strategy and meetings like all is on track. As I said, it’s all a moot point after you fail on the basic first principle. Maybe some of the standards writing dudes need to word this a bit better……
Agree with Wade, D, Fred & Drazen on most of the above.
Some other observations on the IT Security field in Aus:
a) some of the practitioners have never had an original thought – and are quite happy to quote someone else or another standard rather than think through the real issues
b) love to spread FUD & are good at the latest buzzwords
c) like to promote more & more complex technology solutions
d) are technical/security theory minded not business minded
e) are quite happy to step over their colleagues to progress their own agenda
f) have CxO’s who don’t really understand security & are happy to believe everything they are told
g) enjoy writing policies that are unimplementable
h) I could go on & on.
What we are lacking in is:
1) foresight
2) innovation
3) value
4) new opportunities
5) real questioning of the state of play
I think you are guilty of being IT focused.
Chief Risk Officer should own it. CIO should have it forced upon them by governance structure and from CEO.
Until operational risk executives accept information security risk as part of their own domain, and drive that message up – infromation security would be techonology focused, missing people and process components and failing.
Stas,
In this case, it is focussed at IT. Long story but the article was initially planned for a monthly IT magazine. Take a guess. My contact in there who was going to publish it left the company just before it was to out so I thought I should not let it go to waste.
I don’t disagree with you at all if that role exists. It doesn’t in most companies with CIO/IT Manager being the lead guy responsible for all to do with IT.
Even where both roles do exists, CIOs should not be let off the hook with the excuse that they can pass the buck to someone else. It happens too often as it does. Regardless, the principles are failing in most cases I see.
Welcome back.
DD
From: http://www.rearguardsecurity.com/episodes/2-transcript.html
“Let me be frank. What about the job of “Chief Technology Officer” of a major corporation entitles one to be stupid about technology? I keep running into senior IT managers who play stupid – but it’s the same game (I hope I’m not revealing any secrets here!) that most married guys play on their wives: they get out of doing the laundry by washing her white underwear in the same load as their bluejeans and are summarily excused from laundry duty henceforth. When an IT manager fields a system and “forgets” security, they know full well that the poor codependent security guys are going to scramble to cover their backsides – and they get to remain blissfully ignorant forever more.
It makes me fantasize about writing a memo to the board of directors at some company “We gave the CTO an IQ test and he failed. He couldn’t remember an eight character (with one non-alpha character) password for his hard drive encryption, so we set the password to his wife’s name. When he couldn’t remember that, we tried his dog’s name, but he said “SPOT” was too tricky. This guy isn’t qualified to work a vacuum cleaner in the hallway, apparently, never mind overseeing our global network, outsourcing programs, and development labs.” That would be the most creative letter of resignation, ever.”
[...] previous post on this; “Risk Management – great in meetings, not so much in practice“. Leave a [...]
[...] http://beastorbuddha.com/2007/07/19/risk-management-great-in-meetings-not-so-much-in-practice/ [...]
[...] Post: Risk Management- Great in meetings, not so much in practice Leave a [...]
[...] Who’s addressing risk management properly? Who’s approaching security from a strategic perspective? [...]
[...] Risk Management – Great in meetings, not so much in practice The 7 Reasons why businesses are insecure Why Data Breach Notification may fail Leave a Reply [...]