21st Century Risk Management Part 3: From the server room to the boardroom
By Drew Williams August 22, 2013
- Effective information security risk management is more than just putting out fires or buying more tools
- Admins will find C-levels easier to talk to if they discuss risk management as a business logic-driven issue
I LOVE that part in every sci-fi epic since Flash Gordon, where our dashing hero figures out at the last minute, which wire to cut, where the missile’s ‘Off’ switch is, how to jettison the dangerous payload into a dying star, and of course, seeing his enemy endure an oft-times self-inflicted and grizzly demise.
It’s too bad our universe doesn’t work that way. In fact, when it comes to risk management, there’s very little adventure blended into the intrigue of the subject. Most decisions about how to address risks still take place in the server rooms, and all-too-often, rely on how controls are implemented to stop problems from happening.
The result? Problems are still happening. And more often; and it’s getting worse.
Effective information security risk management is more than just putting out fires, and buying more tools. In fact, risk management is rapidly moving from the server room to the boardroom.
Traditionally, organisations must identify how they analyse and address information about their infrastructure, and how they access their identified assets, to meet their strategic business goals and then determine the best ways to protect those assets throughout the information security lifecycle.
It’s about what we call protectability as much as it is about profitability. Policy development for how to operate within the infrastructure, as we mentioned in the previous segment, must strike a three-way balance, between accessing and developing the assets of an organisation, with process-driven standards that comply with any required mandates or compliance rules, AND how current risk and attack trends might affect or impact the organisation’s infrastructure (before anything happens).
After ensuring your organisation actually has a working IT Risk Management operational policy (which, by the way, also includes defining levels of expectation as to what level of risk in the organisation is deemed ‘acceptable’), it’s time to evaluate the IT infrastructure itself.
This includes a full-scale network diagram review, and most especially, a system configuration of every control integrated into the infrastructure. That’s Stage Two of our three-stage rocket.
In a recent analysis reported by Verizon, 97% of malicious software discovered throughout a two-year period included customisable code that targeted system configurations, and more specifically, key devices themselves (servers, firewalls, IPS tools, etc.) – remember the ‘Company X’ Principle which was mentioned in the previous segment?
And when we talk about ‘controls’ and ‘configuration’ issues as being key to the problems for most of the serious attacks and exploits out there, mention should also be made regarding the event logs that are generated from these control devices (as in “nobody looks at the event logs from these control devices”).
If you have a policy that doesn’t include key points of action, such as reviewing data event logs on a regular basis, then you’re more likely than not to be a sitting duck for the next “Big Thing” attack. Seriously.
Third in our trifecta of Adaptive Risk Management components: ‘Exposure.’
The proliferation of web application-based attacks over the past three years has grown exponentially. We are seeing a steady rise of a new generation of web application attacks which are tied to bigger plots of the tragedy that is advancing, persistently and threatening large-scale infrastructures worldwide.
As the universe of ‘Web 2.0’ continues to expand to include galaxy-class dependencies on platforms, like AJAX, Asynchronous Java Script and the mass-produced CMS (content management system) applications, all tied to worldwide populations of social network-dependent businesses and individuals, web-enabled applications and process become even bigger targets.
The increase in web application attacks follows the logical model, which suggests that trouble always follows common interests. That’s why we think ‘Exposure’ is a whole category to Adaptive Risk Management focus, and why organisations should be looking at their web applications and overall web presence on a 24x7 basis.
What’s more, these organisations would do well to reduce their risks of attacks by up to 80% (depending on how you look at the picture), but including a mitigation process for what’s discovered from any kind of monitoring.
So we’ve suggested that ‘Risk’ relating to IT infrastructures is real, and it’s almost 99.999% guaranteed to have already compromised YOUR system (yes you, back in the third row!).
And despite Clint Eastwood’s best grimacing face at what comes next: Here’s The Good, the Bad and the Ugly associated with managing ‘Risk’ at a company near you ….
Risk management is no longer a Fear, Uncertainty & Doubt (FUD) initiative, but rather, needs to be examined as part of the overall business strategy for sustaining and expanding an organisation’s board-driven objectives.
No longer should IT and web administrators need to hide down in the catacombs of the facilities, only coming out to reload their two-litre mugs of Mountain Dew Code Red and feed on small rodents.
The good news is that these administrators are finding the roads into their C-level bosses much easier to tread when they discuss risk management as a business logic-driven issue, versus running in begging to buy the next, the biggest, the fastest whatever.
Oh, and by the way, just because that advertisement shows up in every airport in the word doesn’t mean it’s the best solution for your business.
Well, the bad thing here is that, according to a 2011 KPMG study, the topic of risk management is not a relevant topic in the daily management decision-making for more than half of the several thousand CEOs and BoD (Board of Directors) members interviewed. We call this the devil you don’t know about.
The problem here is, just because you don’t talk about trouble, or don’t know about it, doesn’t mean it’s still not there (and probably grinding away into the deep confines of your system, even as you read this!).
While much of the risk factors discussed are actually addressable (with many being preventable), the truth is, more than half of the businesses reporting in to a recent global survey led by PwC indicated they do not track social media activities within their organisations and have no formal board-level review of ‘Risk’ as a potential business inhibitor (or driver).
Despite these statistics, ‘Cyber Security’ has become the top contender (above weapons of mass destruction and traditional warfare) as the point of most concern for international agencies and many nations.
FUD factors aside however, if you want to find a solution to addressing the growing, pervasive problem of ‘IT Risk’ in your infrastructure, here are some things to consider:
- Sophisticated system-wide attacks – just like all of those big green eggs in the ‘sanctuary’ of that fallen spaceship – are germinating and waiting for their chance to crack open and start spitting acid on anything that moves.
- Risk management needs to be considered as a business issue, rather than a device-driven, ‘IT-Only’ mandate.
- Start within your organisation NOW, by looking at your operational policies, and weigh how you spend resources (including money), to address risk-related activities.
- Just because you throw more money at something doesn’t mean you solve the problem.
- Consider the fact that you are already exposed and infected. All of you.
Enjoy the movie!
Drew Williams is the founder and CEO of international risk management consulting services firm Condition Zebra. He has also worked with the Internet Engineering Task Force and served on the 1999-2000 President’s Partnership for Critical Infrastructure Security (precursor to the Department of Homeland Security). He is a former member of the US Navy.
21st Century Risk Management Part 1: Managing risk means taking risks
21st Century Risk Management Part 2: ARMing your infrastructure