While reading last Friday’s weekly wrap-up on the Securosis blog, I was intrigued by a comment by Adrian Lane:
I have been mulling over the topic of IT buying security products for the sake of security. Sounds irrational, right? We have known for years that people only buy security products to help satisfy compliance requirements, and then only grudgingly, to meet the minimum requirements. But people buying security to help secure things keeps popping up here and there, and I have been waiting for better evidence before blogging about it.
I believe this is true, based on my own anecdotal data from conversations with companies around the world. It seems that checkbox security is finally being supplanted (at least in some organizations) by people wanting to implement real, effective security.
I posit that another trend is also occurring: people in information security are beginning to have more conversations that revolve around risk, and not just focusing on the low-level tactics of security.
I can’t tell how closely these two trends are related, since correlation is not the same as causation and, if there is a relationship I can’t tell which is the chicken and which is the egg. Plus, I don’t really care – I have been yearning for this kind of positive development for a long time.
You see, there are some common problems with a lot of security programs I’ve observed, such as:
- Failure to align effort with risk. This drives frustrating and ineffective “one size fits all” security policies, in which organizations try to apply equal rigor to every system in the enterprise. This is a recipe for frustration (or worse).
- Inability to appropriately fund (or de-fund) projects. WIthout a good risk framework, it is very difficult to allocate resources in an objective way, and you can end up funding the “latest and loudest” rather than funding the project that does the most to reduce risk to the most important functions in your business.
- “Lip service” security. I’ve seen a lot of dusty binders (or the electronic equivalent) full of policies that nobody follows or, in many cases, nobody knows about. If people understood the policies, and the policies were aligned with risk (people tend to understand risks pretty well, once you explain them), they’d be much more likely to adhere to policies.
So why aren’t more people talking about risk? I think one of the issues is alignment. Until you have a repeatable model to identify, analyze, and characterize risk, these conversations are hard because they all end up being FUD-filled and very subjective. In these cases, it’s back to politics, posturing, and gamesmanship which isn’t good for anybody.
If you find yourself wanting to move to a risk-based model but not knowing how, a good place to start is learning more about FAIR, the Factor Analysis of Information Risk framework. There are many risk models, but you don’t need to over-complicate your life so try to find one that is simple to learn, simple to implement and communicate, and one which has readily available training for you and your organization.
But whatever you do, I hope you become part of the trend toward buying security to secure things, and having conversations framed by risk management. The future will be a lot brighter for all of us is you do.
What about you? Do you have any good resources, pointers, risk models, etc. you can share with us?