Reality check
(August 2003)
Balancing cost and risk is the secret to IT security success
Why hasn't a major television network produced a show about IT security? At first glance, it seems a subject fraught with drama—a cross between high-tech thriller and political saga, with a little comic book humour thrown in for the kids. Our hero is the Chief Information Security Officer (CISO) of a major enterprise, and we join him as he
battles espionage and intricate hacking attempts.
But there's a catch: Before the CISO can thwart would-be attackers, he first must convince executive management that the threats are big enough to warrant a hefty measure of protection. And here's another twist: Sometimes the threats are not big enough. So we end up watching a CISO that sometimes is Batman, with all of the bells and whistles to protect Gotham City from disaster—and sometimes he is just Bruce Wayne.
Fascinating? Not really. Who wants to watch a superhero battle evil on a budget? Yet that's the case in the world of IT security. It's not a thrilling drama—it's more of a reality show. Instead of hurling a constant barrage of high-powered artillery at their assailants, CISOs must walk a thin and realistic line between cost and risk, weighing asset values and loss expectancies against the likelihood of certain threats. To strike that balance and paint an accurate picture of potential vulnerabilities and foes, businesses must engage in ongoing risk assessments that help justify both the expense and value of security.
An enterprise-wide adventure
The task of justification is a necessary burden in today's IT world. Like it or not,
IT organizations are under tremendous pressure to align technology with business
objectives. Budgets are tight, and executive attitudes have shrunk from the gaping
optimism of the late 1990s into a more practical mindset. Companies now accept
that an IT infrastructure built for the sake of IT only neglects the importance of the
business it is meant to serve. Likewise, IT security implemented purely for the sake
of protecting IT investments—and not for protecting all enterprise assets, including
the corporate purse—neglects the value of corporate objectives. It also shows the
kind of dichotomy between IT and business that some experts believe triggered the downfall of the dot-com dominion.
Risk assessments are the means by which companies can visualize the alignment between
IT security and business, putting faceless threats and intangible asset value into a
language that all C-level executives can understand. Only through mutual, enterprise-wide communication can an accurate risk assessment take place. CIOs and CISOs are responsible for communicating the strengths and weaknesses of the IT infrastructure to
the rest of the management team, while CEOs and CFOs help convey the business
requirements.
William Hugh Murray, certified information systems security personnel (CISSP), agrees. Murray is an executive consultant with TruSecure Corporation, an international managed security services provider based in Herndon, Virginia. In an ideal risk assessment scenario, he says, "Security staff first recommends to general management a choice of risk postures, and general management chooses the level of risk that it is comfortable with." At this point, the security staff works to match present risks to company objectives by selecting the protective measures that satisfy both categories.
As obvious as it seems, achieving this kind of company-wide cooperation can be
a frequent holdup in the execution of risk assessments, according to Chris Richter,
director of security product management at Cable & Wireless (C&W), another global
provider of managed security services. "For risk assessments to be done properly,"
Richter says, "the entire company must support implementing the project, which is often a very large undertaking." Unfortunately, many companies don't think about putting this much effort into analysing risk until a threat already has appeared. They either misunderstand the purpose of the exercise, or they don't believe the cost of the assessment will justify its potential savings.
Figuring it out
Aside from recognizing the need to engage all aspects of senior management in the
process, experts typically have disagreed on the preferred methodology for assessing risk. Quantitative supporters give a thumbs up to a mathematical approach because it
converts risk into the language of value that CEOs and CFOs—the ones controlling
the purse strings—best understand. A quantitative risk assessment assigns numerical or financial values to certain variables—such as annual loss expectancy (ALE), single loss expectancy (SLE), or total cost of ownership (TCO) for an asset or security solution—and then plugs those figures into formulas that help gauge the consequences of a particular implementation or attack. By weighing security in terms of dollars and cents, the business benefitsand the effectiveness of the security solutions in playbecome apparent and justified.
However, qualitative enthusiasts say that purely formulaic strategies ignore the
dynamics inherent in today's business. Technology is constantly changing. Asset value is constantly changing. And, as anyone who watches the news can attest, threats are constantly changing and often concealed. "A major limitation is visibility into threats and
vulnerabilities," TruSecure's Murray says. "Threats change over time, and vulnerabilities
may be both numerous and obscure." Other variables include expertise, global markets, politics, and corporate or departmental objectives. To approach risk assessment without adapting to all of these variables is counterproductive and might result in inaccuracies.
Not surprisingly, seasoned security professionals now are leaning toward a combined approach to risk assessment that covers four basic areas: what you are trying to protect (asset value), what you are protecting assets from (threat analysis), the likelihood of those threats (vulnerability assessment), and the potential cost to the business (loss expectancy).
In analysing
each of these areas, Richter says, "C&W recommends both quantitative and qualitative approaches to risk assessments, because both play a very vital role." Similarly,
TruSecure recommends the use of a simple risk equation (Risk = Threat × Vulnerability × Cost) that recognizes some costs will be without dollar figures. These so-called soft or semi-soft costs include lost productivity, damage control, and lost customer loyalty—and
enterprises never should discount them from an accurate risk assessment.
The weakest link
Of all the elements within risk assessment, one in particular offers enterprises greater control over security: vulnerability assessment. Unlike threat assessment, which takes
stock of potential attackers beyond your reach, vulnerability assessment provides visibility into infrastructural weaknesses. These weaknesses are places within your infrastructure where attacks might be successful, but they also are places that you can
monitor and modify at will. The trick is to find these weaknesses before the hackers do.
Where do you look? Everywhere, Richter says. Companies should do "everything from analysing
software code for buffer overflow vulnerabilities to making sure that the card
scanning system on the front door is working properly, or even determining how easy it is to obtain unauthorized router log-in credentials from an overly trusting system administrator." Cable & Wireless offers a managed vulnerability scanning service that helps customers pinpoint their Achilles' heels on an ongoing basis. "A good managed vulnerability scanning service can not only reveal to customers what common hack-attack risks they are exposed to," says Robert Hansen, security product manager, "but also how their vulnerability to such attacks has changed over time, if at all."
More important, companies that can identify their vulnerabilities have the opportunity to repair them and thereby prevent some attacks—or at least mitigate risk. "Given that a threat assessment is part of every risk analysis," Hansen says, "the likelihood of the potential threat decreases dramatically when proactive vulnerability scanning is combined with risk mitigation by trained security professionals."
Now what?
After accurately assessing the risk your company faces, it is time to deploy the
appropriate security measures to manage that risk. Now, the CISO and security
experts become superheroes again. By applying the determined budget across the
potential threat windows, the security organization should be able to propose and
implement a detailed posture of defense that will adequately, effectively, and efficiently
protect the enterprise.
Gartner analyst Mark Nicolett advises companies to focus on these four critical
pillars for effective IT security:1
» Security risk, organization, policies, and architecture. "A key element of effective
IT security risk management is to identify exposures and their potential costs so that security policiesand an overall security architecture—can be developed to minimize these exposures and costs."
» Security infrastructure. "An enterprise's security infrastructure is made up of the
tools, technologies, and tactics that are deployed to protect the network perimeter
and internal resources."
» Security administration. "Enterprises cannot realize satisfactory returns on their investment in security planning and policy development without effective execution and implementation."
» Business continuity planning. "Business continuity planning has evolved beyond its traditional focus on disaster recovery to include planning and design for IT and business process resilience."
And because risk assessment should be an ongoing and adaptable endeavour, certain
elements of the process—such as vulnerability assessments and asset valuations—should continue regularly throughout the security strategy.
Although The CISO Show probably won't grace your TV screen next season, the challenges of IT security are still prime time fodder. The climate of this era, torn
between terror alerts and a timid economy, has forced us to focus simultaneously on
defense and value, on the implementation of stringent protection, and on the cost
justification of such protection. Although companies cannot fend off every hacker
attack with laser beams and pulverisers, they can approach security with the realism
it deserves. An accurate risk assessment, coupled with flexibility and an acknowledgment
of boundaries, could be the most important mechanism in aligning business and technology, once and for all.
Don't forget your priorities
Many organizations approach IT security with only a vague understanding of the hazards they face. Jennifer Asprey, CISSP and a senior security product manager with Cable & Wireless, says that many C&W customers come looking for managed security "after performing some kind of security assessment" rather than conducting an overall risk analysis. "Most of our customers understand the overall threats in the industry and come to us with a perceived need," Asprey says. "But very few customers understand how to prioritise the risks or determine whether dollars are better spent on one security service versus another."
Prioritisation is a critical but often overlooked step in the risk assessment process. Beyond simply identifying assets and threats, companies must determine which assets are the most valuable, which threats are the most manageable, and which losses are the most tolerable. William Hugh Murray, CISSP and an executive consultant with TruSecure Corporation, offers some helpful rules of thumb: "Do not spend more money mitigating a risk than tolerating it would cost you. And never spend more money making a decision than the value of the decision." In other words, he says, recognize your "implementation-induced limitations"—such as budget, available expertise, and time—and "limit the use of expensive rigor and discipline to those decisions that really require it."
Companies also must consider the usability of the infrastructural components they are protecting. "This is a careful balancing act," says Asprey. "As the security of a given device goes up, the usability goes down." Prioritising risks and assets can help a company better determine the extent to which it is willing to make compromises.
An ounce of prevention?
Does risk management equal risk prevention? No way, experts say. Total technological security does not exist. Our IT infrastructures rely far too heavily on networked connections to survive inside a vacuum. Although total risk prevention is impossible, companies can implement preemptive measures. Examples include: firewall policy modification, installation of intrusion detection devices and software, distributed denial of service (DDoS) mitigation, the review and elimination of vulnerabilities in custom-generated software code, software patch applications, and the strengthening of authentication practices for virtual private network (VPN) users.
