A recent study sponsored by Tripwire and conducted by the Ponemon Institute on the state of risk-based security management found that the majority of the over 1,300 IT professionals surveyed (81%) indicated that their organization is committed to risk-based security management program.
However, the study also found that nearly half of the same respondents (46%) also said their organization’s strategy for risk-based security management is either non-existent or merely ad-hoc.
There are many factors that may have contributed to this stark discrepancy, but what is certain is that many of these organizations may not have a clear understanding of what building an effective risk-based security management program really entails, and the steps that they need to take to do so.
To get more insight on the process, we spoke at length with Eric Cowperthwaite, Chief Information Security Officer at Providence Health & Services. He currently oversees Information Security for 32 hospitals with more than 65,000 employees, and so is quite familiar with the challenges of building and maintaining an effect risk management program.
His focus is on developing innovative approaches to solving challenging security issues organizations face today through the design of operational models that work to align security strategies with primary business objectives that ultimately contribute to the top and bottom line values of an organization.
Computerworld Magazine named him as one of the Premier 100 IT Leaders in 2008, and SC Magazine identified him as one of the five most influential thinkers in Information Security in 2011, but Cowperthwaite says his career in security really began almost three decades ago when he enlisted in the military and served ten years in the US Army.
“In the first like three years that I was in the army, I was stationed in West Germany on the Inter German Border which is what the military called the Iron Curtain, looking directly at Soviet and East German troops who were looking right back at me. That was my introduction to security,” Cowperthwaite recollected.
“After I got out of the army, I went back to school and did some part-time work for a local company in Sacramento, and after that I went to work for EDS, which was sort of natural coming with the military background,” he continued.
Cowperthwaite said he quickly figured out that physical security was not as exciting as what we now call InfoSec, and so he found ways to move into a role that combined both physical and information security before moving InfoSec full time.
“I worked for EDS for eight years and then I went to Providence where I have been the CSO since May of 2006, and along the way I picked up responsibility for our enterprise risk management efforts as well,” he explained.
Cowperthwaite says he engaged in risk management in earnest as part of his information security strategy somewhere around 2003 when he was working for EDS with state and local government clients and was assigned by a contract as the Security Officer for Medi-Cal, California’s enormous Medicaid benefits program.
He says it became readily apparent that Medi-Cal could spend a significant amount of money and still not know if they had improved security at all, or if they were focusing those resources on the right things.
“We needed a better way than just here are all the technologies you can buy to figure out what we should be doing in our security program, and so I began to devise a risk-based approach,” Cowperthwaite said.
“Here’s where I think having a background in military in physical security was really helpful. The approach needed to be along the lines of understanding there is a basic set of security controls that must be in place to know I have done the right things from a due-diligence perspective.”
He equates it to the process of physically securing a new facility by a corporation, a not-for-profit, or a government entity, as there is a baseline of security that must be provided: You have to have locks on doors, you probably need a closed-circuit camera system so you can monitor the spaces that are not normally well-protected, and you may need to put in automated alarm systems.
“These are all sort of the basic due-diligence things that you’re going to do for a building, and you wouldn’t dream of not doing them, and Information security needs the same kinds of things,” Cowperthwaite said.
“The problem is we haven’t agreed on what the basic due-diligence foundation is, the baseline. But, if you don’t have antivirus on your PCs, or don’t have firewalls, or don’t have intrusion protection systems, and you don’t have spam filtering on your email, you probably haven’t done what you need to do from a basic due-diligence perspective. This really isn’t even risk management at all, this is just the equivalent of putting locks on the doors.”
Cowperthwaite says that the next steps, like understanding the policies and procedures, system hardening and patch management, and controlling access to critical systems – are also all things that we should also do as par for the course before implementing risk management strategies.
“For example, HIPAA I know quite well. The HIPAA Security Rule that tells me I must engage in access management is not simply an addressable specification, it is a requirement, and so we keep logs of who access what and so forth. This again is not risk management at all, this is a basic foundational thing we just have to do.”
Cowperthwaite says there that once there is evidence we have accomplished what we need to do from a baseline due-diligence perspective, we can begin to address concerns from a risk-based management approach.
“Now, it’s time to ask ourselves what exactly do we need to protect, and how likely is it that what we need to protect could be breached in some fashion? For instance, I need to make sure we protect credit card data because that’s a big deal to my organization. If you don’t know what your priority assets are and your ground rules, then you can’t really move on to implementing a risk-based security strategy. You have to know what’s most important to your business first,” Cowperthwaite said.
“Knowing your ground rules is the beginning of the process of building a healthy risk-based security management program.”
Editors Note: In the second part of our interview, Cowperthwaite will discuss some of the challenges one needs to overcome in establishing the ground rules from an institutional perspective, the inter-departmental consensus that needs to be achieved, and how security leadership needs to better understand their place in the overall risk-appetite strategy of the organizations they serve.
- Are Security Metrics Too Complicated for Management?
- Majority of Organizations Committed to Risk-Based Security Management
- Security Professionals Split on Risk-Based Security Management
- Don’t Be Baffled by BS Security Metrics
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock