In the first segment of our interview with Eric Cowperthwaite, Chief Information Security Officer at Providence Health & Services, we examined the steps needed to build a foundation for an effective risk-based security management program.
Cowperthwaite (@e_cowperthwaite) oversees security management operations for 32 hospitals with more than 65,000 employees, and his focus is on developing innovative approaches to security by aligning strategies with the primary business objectives of organizations.
In this second installment, Cowperthwaite discusses the process of establishing the ground rules that govern asset prioritization, achieving consensus across business units, and how security leaders can better understand their role in the risk-appetite strategy of their organization.
Previously, Cowperthwaite explained how the foundation for an effective program includes the drafting of policies and procedures, undertaking system hardening and patch management, and setting up controls for access to critical systems, etc. – and all before the process of implementing a risk management strategy can begin.
One of the first challenges to be overcome is understanding exactly what information the organization wants to protect, and how to categorize and prioritize security efforts based on what is most important to the business.
“If I don’t know what it is that I need to protect on behalf of my organization, I cannot possibly be successful in going beyond foundational due-diligence security,” Cowperthwaite said. “If you don’t know what your ground rules are, then it’s really hard to be successful, and I see a lot of people sort of assuming that they know, but still not doing the hard work to find out what it is.”
For example, there may be servers that contain tons of business documentation for an organization, but they don’t contain any patient information – whether that’s health information or identity information, or payment information. So what are the priorities here?
“There are some things about those servers that I may care about personally given my position as a security officer, but at the end of the day it’s not necessarily as important as the data of the millions of patients that we have stored in our systems,” Cowperthwaite explained. “So, where do I want to focus my efforts? Do I want to focus it on the business automation servers, or do I want to focus it on where the patient data is at?”
The question is essentially how do we decide what the ground rule should be, which effort should take precedence over the other, and how do we come to that understanding?
Cowperthwaite says it begins with the internal process of establishing data classification categories, and gaining broad consensus throughout the organization on which are the right categories, and what should be included in those categories.
“One of the other things that I see happening quite often is when the security officer operates within the IT organization, and they only talk to other IT leaders to make these determinations,” Cowperthwaite said.
“But has that security leader gone out to the rest of the business? Have they talked to the people running the operational parts of the business and found out if they agree that X is the most important piece of information that we have, and that we should put a lot of effort in to protecting it? That’s why our approach is to crowd-source it.”
Cowperthwaite says they survey about 160 senior operational leaders across the organization on an annual basis to ask what they consider to be the information most important to the business.
“And when you ask that many people, you get a much different picture than you would from just the IT department, and then it is important to follow that up with a second survey asking them how well they think we’re protecting the data they said is so important, and the answers we get are really interesting,” he said.
Cowperthwaite said this can be the result of how the question was framed, and the context in which the respondent is answering.
“When we asked a question about how big a risk cybercrime is, we got an answer that said it was sort of in the middle of the pack out of 40 or so things that constitute risks. But then when we asked them how well they thought we were doing protecting the organization from cybercrime, the issue suddenly moved up that stack of risks because the impression was that we were not doing as much as we probably ought to be to reduce the impact,” Cowperthwaite said.
That begs the question as to whether or not leaders in other business units are reacting more to unfounded fears that influence perceived risk levels rather than to more objective factors in making their determinations, and whether they need more education on the issues.
“I think that’s a mistake, I really do, to think that the business operators just don’t understand what it is that we do in security. The thinking is that if they did understand it, they would automatically agree with us,” Cowperthwaite countered.
“That’s very dangerous thinking. They understand it well enough, since nobody in the modern world who is paying any attention to the news is unaware of risks like cybercrime, or of information security issues in general.”
The matter then boils down to our understanding risks and the potential impact that those risks may have on the organization, and Cowperthwaite believes it is on the issue of impact where information security officers usually fail regarding educating other unit leaders, because they tend to overstate impact in terms of the business.
He uses the following example to illustrate this point:
“Suppose you work for a $12.5 billion company that just began a merger & acquisition process with a $3 billion company. Essentially, that’s a $3 billion bet and 25% of the company, and really ought to be considered the organization’s biggest risk right at this point in time, and cybercrime is definitely not a $3 billion risk,” Cowperthwaite said.
“To assert to other business unit leaders that cybercrime is actually the biggest threat, that if somebody were to steal our credit card data that the company is going to go under, they would just look at look at you and go, huh? You have to be kidding me,” he continued.
“And they know better because they read the papers and saw that for TJ Maxx for example, the breach only cost them about $250 million. That’s one-tenth of this new business bet that the company just made, and then you become the boy who cries wolf because you’re not being accurate and consistent with the reality of the business,” Cowperthwaite said.
“So you do need to listen to the business because they understand that if we lose all our credit card data to a bad guy, it will cost a couple of hundred million dollars, and that’s a fair statement to make. If you say that, your business unit leaders are then able to assess where in the grand scheme of all the things they have to deal with.”
In this example, it probably does not fall at the top of the list. It’s big, but $250 million is not equivalent to a $3 billion business bet.
“That’s where we have to be really conscientious about educating in an honest way about the impact, and not try to tell them how big or small of the deal it is, just tell them what it is based on the evidence, and then they can figure out how big or small that risk is compared to all the other things that you don’t even know about, because you’re busy with information security,” Cowperthwaite said.
So what does this mean for those overseeing a risk-based security management program?
“Number one, risk management is about only half the risk. It’s about downside risk, and executives are more concerned with upside risk. They expect people like the security officer, or the head of insurance, or legal, to deal with downside risk, so remember that. You’re only talking about half the risk the organization faces, and the upside risk is where the executives operate,” Cowperthwaite said.
“And then the other thing is, if you’re trying to do risk management instead of just baseline due-diligence, you can’t do it right if you are not engaged with what everybody else is doing operationally every day. So, get out of your office, stop configuring firewalls, and go find out what the business really does.”
Cowperthwaite says the bottom-line for a successful risk management program is that you have to have agreement between security and the people who are impacted.
“If you have done all your pretty risk management work and decided what you need to do, but you never talked to the general manager of the store or the hospital administrator, or the plant manager, or whatever business you are in, if you didn’t gain agreement on risk, you are going to fail,” Cowperthwaite said.
“You have to do that everyday, everyday. I mean, really, the Chief Security Officer is also the Chief Security Salesman.”
- David Lacey on the Origins of ISO27k
- Organizations Misalign Security Spending with Perceived Risks
- Are Security Metrics Too Complicated for Management?
- Majority of Organizations Committed to Risk-Based Security Management
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock