Manage Risk by Measuring “Flow”
Pravin Kothari
Last blog I summarized some of the key points from Bob West’s session at the Accenture and Agiliance’s CISO Roundtable. Bob made the point that it is critical for CISO to speak about and measure risk. The natural follow up questions is then what risks do you measure and how to measure them? Scott Charbo, Vice President at Accenture and former CIO of Department of Homeland Security, presented and discussed that topic. Here are some of key insightful points I would like to share from that discussion.
Risks exist in every part of the business. Security risk is one type of risk. Other risks include privacy risk, compliance risk, credit risk, environmental risk, disaster risk, third-party risk, and much more. CISO organization has traditionally dealt with information security risks, especially around threat and vulnerability and access management. These are topics that traditionally reside exclusively within the security function and the CISO has control over it. While some organizations are more mature than others, implementing proper technologies and processes, and translating these threats into some type of risk metrics is something most CISOs are very capable of addressing. What is increasingly evident is the challenge of security risk emerging from other part of the enterprise that the CISO’s organization does not have control of, and in a lot of cases, not even have the awareness of or visibility to. These risks are now growing exponentially because introduction of new consumer and enterprise technologies. Scott’s presentation was titled “An Expanded Security Ecology With Outcomes In Mind”. Scott introduced some interesting concepts about what risks to measure, how and where to measure them, in order to optimize the deployment of precious security resources.
The dynamics within an organization is all based on “flow”: the flows of information, processes, services, and data on our networks. Today businesses are already managing the availability of these flows. From IT’s perspective, the focus has traditionally be on how many 9’s are required in availability and how do we maintain that availability. From security’s perspective, it has been about managing the security of those flows. Traditionally the CISO organization has deployed various tools like IDS, IPS, Content Filtering, SIEM and now DLP to help secure these flows. Risk reports from these tools and data points do not take into account risk factors from policy, processes and other operations. Still the focus has been on monitoring the data points IT knows about and has controls over, namely IT infrastructure and endpoints.
When a bad thing happens and disrupts the flows, whether it’s breaches, outages, etc, then often some new exposure in the broader flow is identified. These new previously unknown risks that organizations uncover can often be traced back to sources outside of the IT organization. Management of flows across departmental boundaries tend to be by policy, manual processes for compliance, service levels, etc. To gain control over certain risks, CISO must expand the focus to the broader organization and put the right controls in other business processes such as architecture, operations, policy and compliance, acquisition, and budget. Too often CISO just resort to implementing compensating controls within IT to protect from risk originated from outside of IT, which are often costly and imperfect. By measuring and managing the risks of broader flows across departments, CISO can better control some of these emerging risks and even prevent some yet unknown risks.
Here are a few examples to illustrate the point:
- To control risk of privilege user access, it may be necessary to monitor the process flow between human resources and data center operations. Accounts may not be reset or removed when a DBA changes job or leaves the company.
- Risk metric should take into account, not only information security, but also policy compliance, process checks, physical security, business value, etc.
- Risk should be assessed as a system or project flows from RFI to procurement to deployment, not only for production, for its budget risk, 3rd-party risk, IT architecture risk, policy compliance risk, security risk, etc.
Successful CISO who can keep up with the growing risk challenges must think outside of the box that is IT and start thinking in terms of the broader security ecology within the enterprise.
