In presentations I ask people what they do before going on holiday to ’secure’ their house. They call out things like ‘turn off the gas’, ‘cancel the milk/post/newspaper, ‘lock the doors and windows’, ‘board
the dog’. This is all baseline sensible stuff. We see it because we are used to being in the physical world, but the e-world is often invisible.
What do I mean, invisible?
If I have 50,000 books I can see them; on the couch, the bed, shelves, tables, chairs …
If I have 50,000,000 ebooks, what do I see. Exactly the same box as if I had only 1.
So all those basic precautions are ‘out of sight, out of mind’.
And then there’s the ’specialist’ ability to perceive what others don’t.
I’m sure medical doctors will tell us of the many medical conditions he can tell of just by watching someone walk by and looking in their face, the whites of their eyes, the colour and texture of their skin. My optometerist deals with children who are not able to respond to questions about eye tests in the way that adults can, but he can tell the perscription they need by looking in their eyes.
All of which would be meaningless - just another face in the crowds - to the rest of us (…. oh, those fatty deposits around the edges of your eyelids, Anton …) But its the sort of skill the real professional has.
So many things are ‘obvious’ to us InfoSec professionals, where we infir causality and risk, but not to the CIO or not even to the IT staff. Why? Because its our domain of knowledge.
We may argue among ourselves, but that’s true of any profession.
However its beside the point unless it gives clients the impression that this is all nonsense.
Which end of the egg you crack isn’t what matters.
Having a good breakfast is what matters.
Which gets back to the point Donn Parker makes repeatedly.
Unless you have a good - “Context is Everything” - baseline in place, no method of RA is useful. While you are off pondering your RA - which isn’t, as Donn points out, going to tell you what controls to install - the Bad Guys(tm) have moved in and moved out your crown jewels.
A poor attitude toward IT risk on the part of the BoD (or BoG in some other countries) seems quite common. You present a Risk Analaysis and they say “We’ll accept the risk”. Part of this is the difference in attitude to what they see as risk, the business model vs the infosec model. Part of it is ‘emotional’; they don’t, as Donn points out, want to hear or think about the potential for bad things to happen. They are businessmen, they are concerned with profit and growth and opportunity and market and all those B-school things.
Part of it is that we in InfoSec are not doing a good enough job communicating the issues.
What I’m disturbed by is the way that ’standards bodies’, NIST, ISO and now I see it gaining ground at ISACA, are MANDATING Risk Analays. In particular mandating it as a prior step rather than as a “gap analysis” after establishing an well considered BASELINE.
Great post by Anton. It aligns well to Rothman's "P-CSO" approach too. We cannot go into the neverending hamster wheel of pain of Risk Analysis/Assessments before ensuring that at least the minimum is in place.
I would go even farther by saying we don't need RA for the overall security strategy and operation. We need that for specific projects and scope, such as applications. I've just read the new Stephen Hawking's book, "The Grand Design". He says that we'll probably never end with a "Unified Theory of Everything", as most physicists are still looking for, but with a set of theories (models), each one being more useful for a specific context. I see the same thing for security. We'll probably end up using a decision making model for organization-wide security and another for specific scopes security, such as single environments, networks, services or applications. An example of a "set of models" to be used by an organization in their security activites could be:
- Organization level - Baseline-based security
- Project level - Risk-based model
- Security Operations - Threat based model
I don't know if it's the best set and even if these are the best scopes for each component of that set, but it illustrates my point that there's no single model for security decisions and what we should do to choose the models we'll use.