More Related Content
Similar to 2005 issa journal-risk-management (20)
2005 issa journal-risk-management
- 1. Risk Management Returns Results
By Aurobindo Sundaram and Michelle Ward
Introduction Sometimes, support is shown by the reporting structure and the power
given to the CISO. This can involve reporting up to business operations so
Information security practitioners in organizations of all sizes have long that the traditional problem of CISOs (security department is stigmatized
struggled to successfully implement and gain support for their programs. as a “technology cost center”) is somewhat mitigated. A major bank which
Commonly reporting up to a technology officer, security is often viewed as one of us worked for expanded the scope of the formerly “technical” secu-
very expensive and existing only to react to a negative security event that rity department to include physical security, business continuity, fraud, net-
may never occur. Clearly, it is difficult to secure executive buy-in for secu- work security, computer forensics, application assessments, governance
rity programs when the management team maintains this limited per- and more, empowering the CISO to really manage corporate risk rather
spective. However, many security officers neglect to communicate the than simply focus on technology threats.
value of corporate security programs to business managers. Positioning the Obviously, federally regulated organizations are able to achieve execu-
security team as a “risk management service provider” to the internal tive support for security programs because they are required to demon-
organization allows business managers and executives to understand the strate high-level buy-off on initiatives that are outlined by federal auditors.
benefit of implementing specific security polices and programs. Facing costly fines for violating regulations or being presented with the
In the following sections, we’ll attempt to give the security practitioner option of having your bank shut down because you did not comply with
tips about how to align herself in the organization, how to build a security federal standards makes it very easy for CISOs to secure support for their
program that will weather budget cuts, how to ensure that business man- programs. Enterprises that are not heavily regulated are presented with a
agement is aware of the value that her programs create, and how to meas- decision to accept a certain amount of risk and mitigate what executives
ure and prime her programs for success. believe are minimal requirements to maintain a positive corporate image.
For these CISOs, it is much more difficult to gain the executive support
Organization and Support required to implement successful, comprehensive security programs. This
is when it’s time to exercise those “sales skills” and demonstrate value to
There are various thoughts on how security should report into manage- the business that will be added by each service offered by the security
ment, most expounded by people who’ve tried and failed at other organi- department. Allow business units to accept risk on an individual basis by
zation methods. While there is no sure way to gain the support of your signing “risk acceptance” forms that outline security concerns and recom-
management, here are some myths and associated actions for the security mendations from the security team. The business unit will then certify that
practitioner to understand: it is declining to implement necessary controls to mitigate a specified risk.
Business mangers become much more interested in resolving a security
Myth: Security must report to business management to be effective issue when they are required to sign a document stating they knowingly
Corollary: Security is best served by reporting to Information Technology accepted a potentially significant risk to the organization. “Risk assessment”
forms demonstrate that the CISO is performing due diligence by informing
These are both somewhat inaccurate. It is certainly advantageous to business units of risk but allows the business managers to make the final
report to business management, but without business management sup- decision on what risk can be accepted and what must be mitigated.
port, this is not useful. There is also sometimes the perception that secu-
rity is a pure IT play as well. Actions:
Truth: Reporting is not as important as support and high-level commitment ▲ Try to gain the support that you need from at least one key figure
in the organization.
We have been at different organizations where support has been demon- ▲ Try to set risk management objectives and metrics for the business.
strated in different ways. At a large oilfield services firm that one of us
worked at (in IT, no less!), commitment was shown by setting information Program Positioning
security objectives from the CEO down (accounting for 20% of their annual
bonus). This executive support allowed for the successful implementation of Myth: Obtain funding for security projects annually
a mandatory security awareness testing for 75,000 users, vulnerability reme-
diation for over 2500 systems, placement and training for 400 security coor- Position your security team as a service provider rather than a cost
dinators internationally, and updated anti-virus software for 75,000 desktops. center. It is much easier to increase the size of your budget and head
THE ISSA JOURNAL ◆ July 2005 ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
- 2. count if you can demonstrate the VALUE of your services. By defining
Create a relationship with the most powerful group of peo-
your programs as services and developing tools that enable the busi-
ple in the organization—the sales team. Many of us hate to admit
ness to benefit from these services in a measurable way, the security
it, but technology serves no purpose without someone successfully
officer will begin walking into his boss’s office with confidence when
selling our company’s product or service. It is vital for the security
asking for money, as he will be able to demonstrate how many opera-
officer to determine how his programs can help retain or secure new
tional dollars will be saved as well as revenue secured because of his
business by understanding customers through communication with
security programs. Executives are always looking for ways to minimize
sales. The sales team has the ear of the COO and the CEO, they see
expenditures or secure new revenue with customers. The successful
the customers every day, know what they want now and what they
security officer will impress his executive management team when he
will demand in the future. Security as a “business enabler” is com-
can walk into their offices with numbers demonstrating cost savings or
municated through metrics demonstrating the amount of revenue
examples of customer contracts that were secured because of specific
secured because of the security and risk management programs
programs that are part of his security organization. Concentrating on
implemented internally. A smart security officer will measure how
how to quantitatively measure security programs will prove to be ulti-
his programs have helped to secure customer revenue by meeting
mately valuable to the security officer, as many internal operational
minimum security requirements. These dollar figures can be more
managers neglect to do this then complain later when they don’t
easily understood by executives and business managers than a
receive funding for their projects.
description of a complex technology solution. The security officer will
Example: Trying to add Intrusion Prevention System (IPS) functionality
also align himself closely with the corporate legal department so
to an already implemented defense-in-depth solution using Intrusion
that he is aware of the language customers are trying to incorporate
Detection Systems (IDS)
into contracts. Customer demand obviously provides him with fuel
The security executive should sell the benefits of the added (or replace-
to his fire of pursuing new security programs that have not yet estab-
ment) IPS service, using quantitative arguments, such as:
lished in the organization.
▲ We detect 500 viruses propagating in our network every month
using our IDS. Of these, we use IDS functionality to detect and Intelligent management of user access for an organization is simple—it
resolve 495 of these incidents without significant harm being should rely more heavily on effective process than complicated technology
done (mention cost savings of IDS here) solutions. User account provisioning should be fed from a single database
▲ Of the 5 remaining viruses, on average, 1 of them causes a $200K (often a human resources tool such as PeopleSoft) to prevent discrepan-
outage every quarter to our enterprise cies that often occur when a variety of systems kick off the creation of user
▲ A properly configured IPS can detect and block these viruses. accounts. Finding a tool that allows security administrators to deprovision
▲ The IPS costs $100K annually (i.e. $8K a month). Doing nothing user accounts across multiple platforms when an individual is terminated
costs us $66K a month on average. is vital. Systemically enforcing access controls such as password complex-
▲ In addition, an IPS can be used to detect, alert, and block other ity, expiration and length allows for better protection from hacking
malicious activity, such as our employees scanning our HR systems, attempts. When these controls cannot be implemented systemically due to
etc. (intangible benefits). platform limitations, they should be enforced through policy, regular audit-
ing (such as running password crackers) and remediation.
Truth: Programs get continued funding. Projects often don’t. The investment in making an access control solution work effectively is often
in the initial setup of the provisioning tool, the systems that interface with it
Action: Re-align your projects around scalable, repeatable service initiatives and setting up role-based user groups and policies. Security resources will
that are long-lasting, provide value, and can be quantitatively measured for need to build relationships with human resources, payroll and operational sup-
success. port teams that manage various authentication platforms across the organiza-
tion to ensure that processes run smoothly, roles are defined correctly, and that
The Risk Management Approach any changes are communicated to all groups who are impacted.
It is important to use regulation and recent events in your planning and
Myth: Fear, Uncertainty, and Doubt (FUD) is counter-productive selling efforts. For instance, you should use Sarbanes-Oxley requirements
heavily when you try to sell your requirements for access control (provi-
This is not always true. Although certain displays of FUD (“think of the sioning, directory services, headcount for security access control analysts,
damage to your reputation if this were hacked”) are often overused and periodic role review, etc.). These requirements require resources (typically
can be counterproductive, there are many situations in which practical junior-level analysts) and the appropriate tools to implement them.
demonstrations of risks are extremely effective. Providing an example of In addition, you should use recent events in the press to make your
the actual exploitation of vulnerabilities, we demonstrated to top man- point on needing strong access controls (e.g. heavily publicized identity
agement how their retirement information and personal details could be theft instances in the news media). This is certainly one area where the
accessed. This immediately resulted in a tripling of headcount for infor- “What if this were us?” FUD argument is actually beneficial, because, for
mation security. almost every corporation, the risk of this is very real.
Myth: Complex technology solutions will prevent exploitation of user accounts The Magic of Metrics
Truth: Simple access control measures are often most effective in preventing How does a security officer sell his programs and demonstrate overall
unauthorized access. value to the organization? Through metrics. Metrics empower security offi-
©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ July 2005
- 3. cers in many ways, but most importantly, they help to communicate busi-
Risk Management MAGIC
ness risk to managers who could care very little about technology.
Quantitative metrics are appreciated by business unit leaders who view ▲ Measure Program Parameters
them as meaningful measurements that provide them with insight ▲ Appropriate Organizational Alignment
required to make intelligent risk acceptance decisions. By consistently ▲ Generate Value to Organization through Services
communicating solid risk metrics internally, security officers can begin to ▲ Internal Relationship Building
reform executives who may have previously believed these programs were ▲ Communication of Programs to Customers
necessary but added little value to the business.
The hardest problem for a security officer is to create the appropriate Security officers must master the art of “selling” their programs
metrics for use in his organization. Here are some simple metrics that internally. They must translate costly expenditures related to tech-
immediately bring value: nology solutions into methods for managing risks to information
assets in an organization. Security leaders must humanize potential
▲ Savings due to viruses blocked by implemented protections (pick a risk and give executives an accurate understanding of how the com-
number for the potential loss due to a virus infection—say $100; if pany’s revenue and reputation can be negatively impacted by secu-
you block 500 viruses, you just saved the company $50,000). The rity incidents. Business unit managers must be convinced that
actual amount is not important; it’s important to pick a reasonable internal security services enable business, differentiating their
number and be consistent. Technologists often fall into the trap of organization from competitors by allowing them to meet customer
(“Well, our users wouldn’t click on every attachment that came in, demands for minimum protection of their data.
anyway”). It doesn’t matter—measure it anyway.
▲ Savings due to spam blocked by implemented protections (we use Today (per month) With spam appliance
8 cents per spam blocked times 4 recipients for each message = Internet e-mails received per user: 100 Cost of spam appliance = 12K
Number of users : 5000 Percentage of spam filtered = 95%
32c per spam blocked). Although it seems obvious now, 2 years Percentage of mail that is spam : 10% (say)
Cost of spam : 32c
ago, it was hard to get funding for spam-blocking devices. Our CISO
used a calculation just like this one to convince the CEO that it was Total cost of spam = 5000 * 100 * .1 * .32 Savings: 16000 * .95 = 15200
= 16000 Savings due to appliance = 15200 –
OK to spend $12K on a spam-filtering appliance. The ROI was less 1000 (per month for appliance cost) –
than a month. A sample presentation is in Figure 1. This is the 2000 (per month for management,
etc.)
language of business—the quicker you can quantify savings and
present it to management, the quicker you’ll be successful. Total savings: $12,200 PER
MONTH
▲ Percentage of Internet facing systems with no vulnerabilities: This is
typically done by using tools such as Nessus, etc. to continuously Figure 1: A sample calculation and measurement of ROI and savings
measure, report, and remediate vulnerabilities.
▲ Percentage of users that have taken security awareness training Overall Vulnerability Security Physical
Anti-virus Enablers Savings DR/BCP
▲ Percentage of systems with up-to-date patches North
risk assessment awareness security
America 3.5 74% 97% 80% 10.4M 1.5M 3 3
▲ Percentage of systems with up-to-date anti-virus software US 3.8 88% 96% 85% 5.4M .75M 3 3
Canada 4.2 95% 94% 87% 3M .5M 2 4
Mexico 2.7 62% 91% 37% 2M .25M 2 3
Action: Create a risk metrics dashboard for the organization and manage Asia 1.2 97% 95% 87% 3.3M 0.6M 3 3
India 1.1 99% 96% 82% 1.7M 0.34M 2 1
against it. Ensure business management is aware of this dashboard; they China 2.1 94% 94% 84% 1.6M 0.26M 4 3
will appreciate it. Figure 2: Example of a risk dashboard
Figure 2 is a simple example of a risk dashboard. You will no doubt want
to specify your own variables and scores. Color coding helps the reader to Aurobindo Sundaram, CISSP, CISM, is Director of Network Security at ChoicePoint
easily find problem points to remediate. You can do this in Excel or on a
Web page for management to browse and drill down where necessary. Michelle Ward, CISSP/CIFI/CISM, is Director of Information Security at ChoicePoint.
We’ve found it amazing how quickly a red tab on a business manager’s
region will get them to take action on fixing it.
Conclusion
The next time you are planning how to spend your dollars on training,
don’t look in the latest technology journal. Put your money and your mind
on building business sense. Learn to design a service organization and
support your programs with metrics that mean something to upper man-
agement. Stop managing your team as a technology organization and
invest in understanding how your programs are enhancing business objec-
tives and helping secure future revenue, where possible. Mold your tech-
nology group into a sales organization that does more than just implement
secure technology solutions. ¡
THE ISSA JOURNAL ◆ July 2005 ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.