Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2005 issa journal-risk-management


Published on

  • Be the first to comment

  • Be the first to like this

2005 issa journal-risk-management

  1. 1. Risk Management Returns Results By Aurobindo Sundaram and Michelle Ward Introduction Sometimes, support is shown by the reporting structure and the power given to the CISO. This can involve reporting up to business operations so Information security practitioners in organizations of all sizes have long that the traditional problem of CISOs (security department is stigmatized struggled to successfully implement and gain support for their programs. as a “technology cost center”) is somewhat mitigated. A major bank which Commonly reporting up to a technology officer, security is often viewed as one of us worked for expanded the scope of the formerly “technical” secu- very expensive and existing only to react to a negative security event that rity department to include physical security, business continuity, fraud, net- may never occur. Clearly, it is difficult to secure executive buy-in for secu- work security, computer forensics, application assessments, governance rity programs when the management team maintains this limited per- and more, empowering the CISO to really manage corporate risk rather spective. However, many security officers neglect to communicate the than simply focus on technology threats. value of corporate security programs to business managers. Positioning the Obviously, federally regulated organizations are able to achieve execu- security team as a “risk management service provider” to the internal tive support for security programs because they are required to demon- organization allows business managers and executives to understand the strate high-level buy-off on initiatives that are outlined by federal auditors. benefit of implementing specific security polices and programs. Facing costly fines for violating regulations or being presented with the In the following sections, we’ll attempt to give the security practitioner option of having your bank shut down because you did not comply with tips about how to align herself in the organization, how to build a security federal standards makes it very easy for CISOs to secure support for their program that will weather budget cuts, how to ensure that business man- programs. Enterprises that are not heavily regulated are presented with a agement is aware of the value that her programs create, and how to meas- decision to accept a certain amount of risk and mitigate what executives ure and prime her programs for success. believe are minimal requirements to maintain a positive corporate image. For these CISOs, it is much more difficult to gain the executive support Organization and Support required to implement successful, comprehensive security programs. This is when it’s time to exercise those “sales skills” and demonstrate value to There are various thoughts on how security should report into manage- the business that will be added by each service offered by the security ment, most expounded by people who’ve tried and failed at other organi- department. Allow business units to accept risk on an individual basis by zation methods. While there is no sure way to gain the support of your signing “risk acceptance” forms that outline security concerns and recom- management, here are some myths and associated actions for the security mendations from the security team. The business unit will then certify that practitioner to understand: it is declining to implement necessary controls to mitigate a specified risk. Business mangers become much more interested in resolving a security Myth: Security must report to business management to be effective issue when they are required to sign a document stating they knowingly Corollary: Security is best served by reporting to Information Technology accepted a potentially significant risk to the organization. “Risk assessment” forms demonstrate that the CISO is performing due diligence by informing These are both somewhat inaccurate. It is certainly advantageous to business units of risk but allows the business managers to make the final report to business management, but without business management sup- decision on what risk can be accepted and what must be mitigated. port, this is not useful. There is also sometimes the perception that secu- rity is a pure IT play as well. Actions: Truth: Reporting is not as important as support and high-level commitment ▲ Try to gain the support that you need from at least one key figure in the organization. We have been at different organizations where support has been demon- ▲ Try to set risk management objectives and metrics for the business. strated in different ways. At a large oilfield services firm that one of us worked at (in IT, no less!), commitment was shown by setting information Program Positioning security objectives from the CEO down (accounting for 20% of their annual bonus). This executive support allowed for the successful implementation of Myth: Obtain funding for security projects annually a mandatory security awareness testing for 75,000 users, vulnerability reme- diation for over 2500 systems, placement and training for 400 security coor- Position your security team as a service provider rather than a cost dinators internationally, and updated anti-virus software for 75,000 desktops. center. It is much easier to increase the size of your budget and head THE ISSA JOURNAL ◆ July 2005 ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
  2. 2. count if you can demonstrate the VALUE of your services. By defining Create a relationship with the most powerful group of peo- your programs as services and developing tools that enable the busi- ple in the organization—the sales team. Many of us hate to admit ness to benefit from these services in a measurable way, the security it, but technology serves no purpose without someone successfully officer will begin walking into his boss’s office with confidence when selling our company’s product or service. It is vital for the security asking for money, as he will be able to demonstrate how many opera- officer to determine how his programs can help retain or secure new tional dollars will be saved as well as revenue secured because of his business by understanding customers through communication with security programs. Executives are always looking for ways to minimize sales. The sales team has the ear of the COO and the CEO, they see expenditures or secure new revenue with customers. The successful the customers every day, know what they want now and what they security officer will impress his executive management team when he will demand in the future. Security as a “business enabler” is com- can walk into their offices with numbers demonstrating cost savings or municated through metrics demonstrating the amount of revenue examples of customer contracts that were secured because of specific secured because of the security and risk management programs programs that are part of his security organization. Concentrating on implemented internally. A smart security officer will measure how how to quantitatively measure security programs will prove to be ulti- his programs have helped to secure customer revenue by meeting mately valuable to the security officer, as many internal operational minimum security requirements. These dollar figures can be more managers neglect to do this then complain later when they don’t easily understood by executives and business managers than a receive funding for their projects. description of a complex technology solution. The security officer will Example: Trying to add Intrusion Prevention System (IPS) functionality also align himself closely with the corporate legal department so to an already implemented defense-in-depth solution using Intrusion that he is aware of the language customers are trying to incorporate Detection Systems (IDS) into contracts. Customer demand obviously provides him with fuel The security executive should sell the benefits of the added (or replace- to his fire of pursuing new security programs that have not yet estab- ment) IPS service, using quantitative arguments, such as: lished in the organization. ▲ We detect 500 viruses propagating in our network every month using our IDS. Of these, we use IDS functionality to detect and Intelligent management of user access for an organization is simple—it resolve 495 of these incidents without significant harm being should rely more heavily on effective process than complicated technology done (mention cost savings of IDS here) solutions. User account provisioning should be fed from a single database ▲ Of the 5 remaining viruses, on average, 1 of them causes a $200K (often a human resources tool such as PeopleSoft) to prevent discrepan- outage every quarter to our enterprise cies that often occur when a variety of systems kick off the creation of user ▲ A properly configured IPS can detect and block these viruses. accounts. Finding a tool that allows security administrators to deprovision ▲ The IPS costs $100K annually (i.e. $8K a month). Doing nothing user accounts across multiple platforms when an individual is terminated costs us $66K a month on average. is vital. Systemically enforcing access controls such as password complex- ▲ In addition, an IPS can be used to detect, alert, and block other ity, expiration and length allows for better protection from hacking malicious activity, such as our employees scanning our HR systems, attempts. When these controls cannot be implemented systemically due to etc. (intangible benefits). platform limitations, they should be enforced through policy, regular audit- ing (such as running password crackers) and remediation. Truth: Programs get continued funding. Projects often don’t. The investment in making an access control solution work effectively is often in the initial setup of the provisioning tool, the systems that interface with it Action: Re-align your projects around scalable, repeatable service initiatives and setting up role-based user groups and policies. Security resources will that are long-lasting, provide value, and can be quantitatively measured for need to build relationships with human resources, payroll and operational sup- success. port teams that manage various authentication platforms across the organiza- tion to ensure that processes run smoothly, roles are defined correctly, and that The Risk Management Approach any changes are communicated to all groups who are impacted. It is important to use regulation and recent events in your planning and Myth: Fear, Uncertainty, and Doubt (FUD) is counter-productive selling efforts. For instance, you should use Sarbanes-Oxley requirements heavily when you try to sell your requirements for access control (provi- This is not always true. Although certain displays of FUD (“think of the sioning, directory services, headcount for security access control analysts, damage to your reputation if this were hacked”) are often overused and periodic role review, etc.). These requirements require resources (typically can be counterproductive, there are many situations in which practical junior-level analysts) and the appropriate tools to implement them. demonstrations of risks are extremely effective. Providing an example of In addition, you should use recent events in the press to make your the actual exploitation of vulnerabilities, we demonstrated to top man- point on needing strong access controls (e.g. heavily publicized identity agement how their retirement information and personal details could be theft instances in the news media). This is certainly one area where the accessed. This immediately resulted in a tripling of headcount for infor- “What if this were us?” FUD argument is actually beneficial, because, for mation security. almost every corporation, the risk of this is very real. Myth: Complex technology solutions will prevent exploitation of user accounts The Magic of Metrics Truth: Simple access control measures are often most effective in preventing How does a security officer sell his programs and demonstrate overall unauthorized access. value to the organization? Through metrics. Metrics empower security offi- ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ July 2005
  3. 3. cers in many ways, but most importantly, they help to communicate busi- Risk Management MAGIC ness risk to managers who could care very little about technology. Quantitative metrics are appreciated by business unit leaders who view ▲ Measure Program Parameters them as meaningful measurements that provide them with insight ▲ Appropriate Organizational Alignment required to make intelligent risk acceptance decisions. By consistently ▲ Generate Value to Organization through Services communicating solid risk metrics internally, security officers can begin to ▲ Internal Relationship Building reform executives who may have previously believed these programs were ▲ Communication of Programs to Customers necessary but added little value to the business. The hardest problem for a security officer is to create the appropriate Security officers must master the art of “selling” their programs metrics for use in his organization. Here are some simple metrics that internally. They must translate costly expenditures related to tech- immediately bring value: nology solutions into methods for managing risks to information assets in an organization. Security leaders must humanize potential ▲ Savings due to viruses blocked by implemented protections (pick a risk and give executives an accurate understanding of how the com- number for the potential loss due to a virus infection—say $100; if pany’s revenue and reputation can be negatively impacted by secu- you block 500 viruses, you just saved the company $50,000). The rity incidents. Business unit managers must be convinced that actual amount is not important; it’s important to pick a reasonable internal security services enable business, differentiating their number and be consistent. Technologists often fall into the trap of organization from competitors by allowing them to meet customer (“Well, our users wouldn’t click on every attachment that came in, demands for minimum protection of their data. anyway”). It doesn’t matter—measure it anyway. ▲ Savings due to spam blocked by implemented protections (we use Today (per month) With spam appliance 8 cents per spam blocked times 4 recipients for each message = Internet e-mails received per user: 100 Cost of spam appliance = 12K Number of users : 5000 Percentage of spam filtered = 95% 32c per spam blocked). Although it seems obvious now, 2 years Percentage of mail that is spam : 10% (say) Cost of spam : 32c ago, it was hard to get funding for spam-blocking devices. Our CISO used a calculation just like this one to convince the CEO that it was Total cost of spam = 5000 * 100 * .1 * .32 Savings: 16000 * .95 = 15200 = 16000 Savings due to appliance = 15200 – OK to spend $12K on a spam-filtering appliance. The ROI was less 1000 (per month for appliance cost) – than a month. A sample presentation is in Figure 1. This is the 2000 (per month for management, etc.) language of business—the quicker you can quantify savings and present it to management, the quicker you’ll be successful. Total savings: $12,200 PER MONTH ▲ Percentage of Internet facing systems with no vulnerabilities: This is typically done by using tools such as Nessus, etc. to continuously Figure 1: A sample calculation and measurement of ROI and savings measure, report, and remediate vulnerabilities. ▲ Percentage of users that have taken security awareness training Overall Vulnerability Security Physical Anti-virus Enablers Savings DR/BCP ▲ Percentage of systems with up-to-date patches North risk assessment awareness security America 3.5 74% 97% 80% 10.4M 1.5M 3 3 ▲ Percentage of systems with up-to-date anti-virus software US 3.8 88% 96% 85% 5.4M .75M 3 3 Canada 4.2 95% 94% 87% 3M .5M 2 4 Mexico 2.7 62% 91% 37% 2M .25M 2 3 Action: Create a risk metrics dashboard for the organization and manage Asia 1.2 97% 95% 87% 3.3M 0.6M 3 3 India 1.1 99% 96% 82% 1.7M 0.34M 2 1 against it. Ensure business management is aware of this dashboard; they China 2.1 94% 94% 84% 1.6M 0.26M 4 3 will appreciate it. Figure 2: Example of a risk dashboard Figure 2 is a simple example of a risk dashboard. You will no doubt want to specify your own variables and scores. Color coding helps the reader to Aurobindo Sundaram, CISSP, CISM, is Director of Network Security at ChoicePoint easily find problem points to remediate. You can do this in Excel or on a Web page for management to browse and drill down where necessary. Michelle Ward, CISSP/CIFI/CISM, is Director of Information Security at ChoicePoint. We’ve found it amazing how quickly a red tab on a business manager’s region will get them to take action on fixing it. Conclusion The next time you are planning how to spend your dollars on training, don’t look in the latest technology journal. Put your money and your mind on building business sense. Learn to design a service organization and support your programs with metrics that mean something to upper man- agement. Stop managing your team as a technology organization and invest in understanding how your programs are enhancing business objec- tives and helping secure future revenue, where possible. Mold your tech- nology group into a sales organization that does more than just implement secure technology solutions. ¡ THE ISSA JOURNAL ◆ July 2005 ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.