Information Risk Management in Context

From the Editors of ITSC

When people discuss "risk," they often speak as if it were a single component-- or as if it meant the same thing as "vulnerabilities." But risk is actually made up of several components:

• Assets (resources of value)
• Threats (the volume and effectiveness of entities interested in attacking those assets)
• Vulnerabilities (possible points of exploitation)

Combining these definitions allows for drawing a clearer picture of an organization's aggregate information risk.

Risk = Assets x Threats x Vulnerabilities

In such an "equation," each of the terms should be expressed as having values of "high," "medium," "low," or possibly "zero." (Any attempt to use numerical values would be misleading.) Looking at risk this way reveals that "risk decisions" need to be made by people who have complete information -- people who know, in other words, what values to assign to those important assets, threats, and vulnerabilities.

For example, an individual network administrator should not make a decision to accept a risk to the entire enterprise. The president or CEO should make that decision. Complete information means understanding the business ramifications of the risk. Too often, executives decide to accept risks based on wishful thinking or even misrepresentations by their staff.

Only with complete information, then, can overall cyber security risk be assessed. How can that information be obtained? There's an old saying: "You cannot secure what you cannot manage, and you cannot manage what you cannot measure." Or, as renowned management analyst Peter Drucker once observed, "What gets measured, gets done."

No substitute for complete information

Organizations have traditionally addressed the protection of their key assets by implementing a number of point products that all work independently. This practice of "cherry picking" individual solutions, which was common throughout the 1980s and early 1990s, has proven to be very costly. Businesses have paid a heavy price for this approach in the form of homegrown integration solutions or by bearing the business costs of not integrating.

Not surprisingly, point solutions and best-of-breed approaches do not effectively address overall business needs. They also do not provide the complete information, necessary to determining true risk. Here's why: managing an environment hosting disparate products from multiple vendors can be daunting, with each device generating its own mountain of data. In the average-sized company, millions of log entries and alerts are produced each month by firewalls and intrusion detection sensors installed across the enterprise. Bottom line: there is a world of difference between complete information and information overload.

Case in point: your network

Several challenges exist in the course of obtaining complete information about a company's network architecture.

To begin, it is extremely rare for organizations of any size to have an idea of what is "participating" on its network in anything close to a real-time basis. Needed information includes configuration information about hardware, operating system, and applications, as well as parameters for security controls. Few organizations have such comprehensive knowledge about what is participating on their networks.

Part of the problem is due to "network evanescence," or the phenomenon of devices appearing, disappearing, moving, and changing configuration on a continuous basis. A Christmas tree serves as an apt metaphor for a corporate network. If each light represents a device on the network, the tree wouldn't display a lot of continuously burning lights; rather, it would twinkle and shimmer with all the changes taking place as devices connect and disconnect through cable, wireless, and VPN portals. The point is: the network cannot be secured if its components and configurations are unknown.

An integrated approach to security can help eliminate the challenges of point products and deliver a more comprehensive solution. Such an approach is essential to quickly correlating information, simplifying it, and prioritizing any necessary action. An integrated approach also focuses less on the individual protection technologies and more on the tiers of the network architecture. This means the focus shifts to the gateway, application server, and client levels versus picking a firewall or an intrusion sensor.

The threat factor

Risk management of network architecture becomes even more urgent when considering the current threat landscape. In an environment where vulnerabilities are on the rise, it is essential to protect key assets with a cyber alert system that provides early warning against new and emerging threats. Such a system should be capable of providing customized alerts of cyber attacks -- with countermeasures to prevent attacks before they occur -- creating the ability to mitigate risk, manage threats, and ensure business continuity. An incident management system will also help track down suspicious behavior on the network. The goal: proactive intelligence, which enables CIOs to take action to better protect the network and avoid downtime and lost productivity by preventing a potential attack.

Conclusion

CIOs shouldn't be lulled into thinking an existing cyber security posture is sufficient (or even above average) just because "instinct" tells us so. 

Now more than ever you need to be absolutely certain about your risk "appetite." Knowing that risk is dependent on the business context and your willingness to accept risks, you can now measure it. And that means you can manage it.