Q&A

Lloyd Hession: Look Risk in the Eye

Radianz CSO Lloyd Hession answers readers' questions about information technology risks.

April 01, 2003 — CSO —

Q: I love the idea of posing much of my purchasing and deployment decisions as risk equations. Having said that, I don't have the time or expertise in-house to develop those risk models myself. Where can I cheat and filch some risk models already developed that could apply to me?A: The key is to keep your analysis simple and in terms that management can understand. The problem with many off-the-shelf risk methodologies is that they will require a significant amount of tinkering before they will be right for your particular business. You may be able to fill in some numbers by calling on the experience and expertise of your security team. Then, if you have a good knowledge of your environment, you can make a strong case with some simple calculations.

Here's a contrived example: We expended 1,000 man-hours and $100,000 dealing with incidents last year70 percent of those were the result of worms that got into the company as e-mail attachments. We could have eliminated 90 percent of those threats by implementing a tool on our mail server that removes potentially harmful attachments before they ever enter our network. The license will cost us $25,000 per year, and we can manage the solution with existing resources for a negligible cost.

The risk equations you are looking for in this situation are quite simple. Once you make an assumption about the per-hour cost of a worker, say $25, you will have a very strong case to present to management for the purchase of your mail server software.

It is extremely important to keep logs and metrics of security-specific issues so that you will have the information necessary to analyze your specific situation.Q: What are the current best practices in security reporting structures?A: If your organization has a separate security team, I have always felt it's important to keep that team organizationally separate from traditional IT functions. Different organizations have different reporting structures; but, ideally, the top executive responsible for security should be a peer to the CIO. The CSO is, after all, executive management's subject matter expert on security.

Security touches all areas of the company, not just IT. An effective security organization will require a view over the entire organization along with the authority to create policies and conduct awareness training for all employees.

It is critically important, though, to maintain a good relationship with the IT functions in order to provide effective security. That's where a security team can leverage its role as subject matter expert. Act as a resource for systems administrators who need to harden their systems. Educate developers to develop secure software. Assist in the development of secure solutions to enable a mobile workforce. The key is to maintain independence, while enablingnot blockingsolutions. The result will be an organization that recognizes security as an integral component to its success.Q: How does one present risks in a concise manner to senior executivesCIOs and above?A: The key is to present risk as a business decision requiring action. You will probably do more harm than good in attempting to frighten a budget out of senior management by pointing to all the dire consequences associated with a particular risk. Instead, using knowledge, experience, published statistics and even some guesswork, provide management with an assessment of the magnitude of the risk and a menu of options for solving the problem. The menu should include the cost and "residual risk" of each mitigation strategy. Residual risk is simply the risk left over once you've implemented your solution.