Location, Location, Location: It Works in Risk Management

Wednesday, March 21, 2012

Edwin Covert


Location, Location, Location: What Works in Real Estate Works in Risk Management

Computers and information systems are an intrinsic part of the modern world. There are few places left on the planet that are not accessible via some form of information or communication system be it a personal computer, laptop or smartphone.

According to the research firm Gartner, “Worldwide mobile phone sales to end users totaled 417 million units in the third quarter of 2010, a 35 percent increase from the third quarter of 2009” (Gartner). There is a second edge to this communication systems sword: cybercrime and hacking.

Governments, corporations, and non-profit organizations face a relentless assault on their networks and infrastructures. These attacks come at an enormous and increasing cost. According to Security Magazine, every incident of cybercrime has costs associated not only with detecting the attack, but also with future protection, containment of the current attack, and recovery from that attack. 

With the increase in cybercrime costs, organizations need to be able to ensure they are maximizing their return on risk management investment. An effective way of doing this is making sure the information security or risk management team is properly aligned within their organization.

According to the Norton Cybercrime Report, the global cost of cybercrime in 2010 was $114 billion annually (Help Net Security). If the costs of lost time were figured into that value, the total is a staggering $274 billion. Norton claims that the cost of cybercrime globally is higher than the costs of marijuana, cocaine, and heroin sold on the world’s black markets combined (Help Net Security).

Devolved on an individual attack basis, according to Security Magazine, “each attack took 18 days and $416,000 to fix”. Unfortunately, these costs are increasing. The magazine reports that in 2010 “the cost of dealing with cybercrime went up 56 percent this year, with organizations paying anywhere from $1.5 million to $36.5 million a year for protection and recovery” (Security Magazine).

Preventing every attack, or reducing all possible “attack surfaces,” is impossible according to Michael Vangelos, CISSP. Vangelos has 23 years of information technology experience including a dozen years specializing in information and cyber security. In “Managing the Response to a Computer Security Incident” in the Handbook of Information Systems Management (edited by Harold Tipton and Micki Krause), Vangelos says:

"Organizations typically devote substantial information security resources to the prevention of attacks on computer systems. Strong authentication is used, with passphrases that change regularly, tokens, digital certificates, and biometrics. Information owners spend time assessing risk. Network components are kept in access-controlled areas. The least privilege model is used as a basis for access control. There are layers of software protecting against malicious code. Operating systems are hardened, unneeded services are disabled, and privileged accounts are kept to a minimum. Some systems undergo regular audits, vulnerability assessments, and penetration testing. Add it all up, and these activities represent a significant investment of time and money."

Furthermore, Romi Mahajan, chief marketing officer for an interactive marketing and technology consultancy, writing in a recent issue of SiliconIndia says, “no enterprise will ever be 100 percent secure. That is a fact”. That is because, according to Mahajan, each enterprise has a unique risk profile and tolerance level for dealing with threats and vulnerabilities.

Mahajan says “security needs to be understood as a core business imperative and the way an enterprise manages its security posture needs to relate directly to the way it wants to manage its business risk”. However, he goes on to say there are no “pat answers to security; and reducing it to a matter of hardening servers or locking down applications is huge mistake, albeit one made by many enterprises”.

Most organizations appear to organize into a team the individual elements that make up this protection and risk management effort. According to Mahajan, this is a mistake the organization’s management often makes. He says “if the responsibility for security sits in – and only in – the IT department . . . [it] will bode ill for an enterprise’s ability to manage risk”.

Mahajan’s concern centers on the tendency for an IT group or division to view security through the lens of their own functional vantage point i.e. technology-focused people tend to technology-focused solutions to problems. He would like a more holistic approach to risk management that involves an organization’s personnel, its processes, its policies AND its technology. After all he says, “technical solutions alone won’t do the job”.

Two other well-respected individuals share Mahajan’s thoughts on this subject. Eric Maiwald and Bill Sieglein are the authors of Security Planning & Disaster Recovery. Maiwald is an analyst in security and risk management strategies for Gartner with more than 20 years of experience in the IT security industry.

Sieglein is the founder and CEO of the Chief Information Security Office (CISO) Executive Network, a professional organization that provides a secure forum for information security, IT risk management, privacy, and compliance executives to discuss areas of common concern. Previously, Sieglein was the Chief Security Officer for the Public Company Accounting Oversight Board (PCAOB) established under the Sarbanes-Oxley Act.

According to Maiwald and Sieglien, IT ends up taking operational control of risk management functions because information security programs “usually develops out of the IT department's need for security policy and incident response”. Maiwald and Sieglein note that locating the information security, or risk management, team within the information technology department has a limiting effect that team’s scope.

There is a maxim that says if they only tool one has is a hammer, everything will look like a nail. Maiwald and Sieglein assert, as did Mahajan, that putting an information security into information technology forces them into this maxim.

Rather, Maiwald and Sieglein argue that a risk management organization needs to foster two distinct lines of communication: one with the technology organization and one with the lines of business. The technical communication line “build[s] on the ability of security staff to explain and understand technical issues.  

The other communication direction is more important, according to Maiwald and Sieglein: “If the security staff understands nothing else, they must understand that their job is to assist the organization in performing its primary business function. With that said, the security department must form business relationships within the organization. These are relationships where security supports the primary business function”.

Maiwald and Sieglein recommend an organization that crosses functions and lines of communication. In order to accomplish this, placement of the risk management team within the larger organization is critical, as has been noted previously. They recommend two possibilities:

"The first would have security reporting directly to the president or CEO. This location gives the information security department the largest possible scope and the highest possible visibility in the organization. While this reporting point is good for information security, it is not always possible. Some organizations do not wish to elevate the head of information security to the senior management team for example. The second good alternative would place the information security department under the organization's general counsel. This moves the department from directly reporting to the President or CEO and yet still allows the department to have a large scope (the general counsel usually can act throughout the organization). Given that many security issues are also becoming legal issues, placement here is certainly appropriate."

While it is certainly critical to have the right personnel in the risk management team, just having the right personnel is a red herring argument. Any organization ever created has always, and continues to always, want the best people available. Thus, , it becomes apparent that where one places their information security or risk management group is of paramount importance to the ability of that organization to protect against information security threats and vulnerabilities.               

In an article entitled “Embedding Information Security into the Organization” in IEEE Privacy and Security, M. Eric Johnson (director of the Tuck School of Business’ Glassmeyer/McNamee Center for Digital Strategies at Dartmouth College) and Eric Goetz (associate director for research at the Institute for Information Infrastructure Protection (I3P) at Dartmouth College) argue that location within an organization is not the most important consideration when developing an information security program:

“it’s less important how a security organization is structured and more important that the organization has the right people to implement security successfully, meaning individuals who take ownership of security and build good relationships with others in the organization and external partners”.

As Johnson and Goetz point out regarding personnel, the individuals on a risk management team need to be not just technical experts (as one would find in an IT department). Those key personnel also need that ability to reach out to other functions in the business and understand that security is a function of business. A risk management professional does not manage risk simply to manage risk. Organizations manage risk to support a larger goal: that of the organization’s mission.

Johnson and Goetz also note that funding is a key consideration for where an organization locates its information security or risk management team: “Security organizations’ funding streams also vary, but for most large firms, the CIO ultimately controls and approves funding. If the security organization reports to the head of an operational unit or other senior executive, that person (or persons) might control the budget as well.

In cases in which operational security functions (for example, protecting the organization’s infrastructure against viruses  or denial-of-service [DoS] attacks) are separated from more strategic or compliance-related security  functions, several different sources might control funding”. While funding is an important consideration, if that funding is being used in an ineffective manner, then it should be a secondary consideration.

How does an organization decide if the placement of its risk management or information security program is effective for it? Sumit Ghosh, Manu Malek-Zavarei, and Edward Stohr say it needs to be assessed. As the authors of Guarding Your Business: A Management Approach to Security, they state:

"Perhaps one of the best approaches to determining, implementing, and continually evaluating the information security organization is to institute a process of assessment using both internal and external resources. Information security assessments can provide important evaluations of the information security program with respect to the business and organizational context. The organizational aspect of the assessment should address the areas addressed previously such as security roles and responsibilities, protection processes, detection processes, response processes, governance, and leadership. A variety of assessment approaches exist that may provide topical guidance and promote consistent standards."

They recommend evaluating the organization against such standards as the National Security Agency’s Information Assurance Methodology or The Software Engineering Institute’s OCTAVESM Approach. Either of these methods would help measure an organization’s effectiveness. Once an organization has been assessed, changes to the organizational location or structure can be made based on meaningful metrics instead of intuition.

Information security or risk management is difficult. There are a lot of considerations to take into account. New software creates new vulnerabilities. The threats and threat actors change constantly. It is expensive as well. As noted by Security Magazine, the costs of information security issues continue to increase as well.

In a time of constrained resources, organizations need to be able to ensure they are maximizing their return on investment. An effective way of doing this is making sure the information security or risk management team is properly aligned within their organization.

Works Cited:

Maiwald, Eric and William Sieglein. Security Planning & Disaster Recovery. New York: McGraw-Hill/Osbourne, 2002. eBook.

Carnegie Mellon University. Cyber Security Engineering. 11 December 2011. Web. 13 February 2012.

Gartner. Gartner Says Worldwide Mobile Phone Sales Grew 35 Percent in Third Quarter 2010. Egham, UK, 7 November 2010. Web.

Ghosh, Sumit, Manu Malek-Zavarei and Edward A. Stohr. Guarding Your Businss: A Management Approach to Security. EBSCOhost: Springer Science & Business Medai, 2004. eBook. 18 February 2012.

Help Net Security. Global Cost of Cybercrime? $114 Billion Annually. 7 September 2011. Web. 15 February 2012.

Johnson, M. Eric and Eric Goetz. "Embedding Information Security into the Organization." IEEE Privacy and Security (2007): 16-24. Web. 18 February 2012. .

Mahajan, Romi. "Managing Business Risk In The Enterprise: Viewing Security Holistically." Siliconindia (2004): 26-30. Web. 10 February 2012.

Security Magazine. "Cyber Crime Costs Jump 56 Percent." Security: Solutions for Enterprise Security Leaders (2011): 18. Web.

Vangelos, Michael. "Managing the Response to a Computer Security Incident." Handbook of Information Security Management. Ed. Micki Krause and Harold R. Tipton. New York: Taylor & Francis Routledge, 2005. 2521-2534. eBook.

Possibly Related Articles:
Budgets Enterprise Security Policy
Enterprise Security Risk Management Hacking Best Practices Disaster Recovery ROI Cyber Crime Information Security Policies and Procedures
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.