Information security and the art of business enablement

risk reward

During my career, I have always straddled the fence between the technology side and the business side in the companies I have worked for. This is true in part because most of my employers have been smaller organizations experiencing rapid growth. Not withstanding my strong technology background, not understanding the business side of what I was doing would have quickly ended any illusion I had of job security. 

In the security world today, we find that those managing security for organizations are often at odds with the business executives. The security folks understandably advocate for the tightest possible security. The business side wants as little disruption to company operations from security precautions as possible. The security head usually loses this battle to some extent. 

In my experience, the business and security sides of the company do not have to be at odds with each other. In fact, the two sides working together can help propel the business forward, with security being a saleable business trait. The success of this in part depends on how well both sides understand the difference between vulnerabilities and risks, and cost versus value. 

A vulnerability is a security exposure that, if exploited, could permit a data breach or other security compromise. In deciding when/how to address a vulnerability, however, one must take into account the likelihood that a given vulnerability might be exploited, the damage that might be done as a result, and the cost to the business were it to happen. These factors together form a risk. 

For any business, decisions about what actions need to be taken from a security perspective should be based on risk, as opposed to an ad hoc approach to prioritizing fixes. For example, TLS 1.0, a web cryptography protocol, has a vulnerability allowing it to be exploited by the POODLE attack. That being said, it is not considered a critical exposure for most organizations. The PCI Security Standards Council for instance, is not requiring the removal of TLS 1.0 for existing installations until June, 2016. Were I assessing risks for an organization, this would probably not be the top item on my list. 

When using a risk-based approach to vulnerability management, the challenge is in properly assessing the business risk of a given vulnerability. This is where a CISO with knowledge of the business side as well as the technology side comes in. Without a good grounding in technology, it is hard for a CISO to properly understand the risk posed by a given issue. A CISO lacking in a solid understanding of the business may have challenges in determining the potential impact of an issue, or the business value of planned expenditures. A CISO without a strong knowledge of both sides will need to rely on other folks to fill in any gaps. 

To be honest, the formal process involved in assessing and rank-ordering risks is not an easy one, but is doable. My article "The dreaded risk assessment" includes a simplified roadmap for conducting a risk assessment. Such an assessment is something you should have regardless of the size of your business. 

Once the risk assessment is completed, the CISO has a documented framework for discussion with the business leaders. These folks, while they often have limited understanding of the technology, will likely understand and respect the assessment approach. If high risk vulnerabilities exist, it will be hard for them to argue over the need to complete the work, and the budget to get it done. 

When working with the business leaders to address risk, the following are some items the security team should keep in mind: 

Sell the value of security

As I said above, security sells well today. Customers are worried about their data being protected, and the reliability of the vendors supporting them. Companies can --and should -- take advantage of this market opportunity. Work with business leaders to build a good, documented risk management process, and sell that to customers as a competitive advantage. 

Get value for your security investments

I, like any "techie," want the latest and greatest gadgets. As I said in "Information Security -- Pursue simple, get fancy later," the expensive, bleeding-edge security tools often do not produce a good return on investment. If you buy expensive stuff that does not pay off, business leaders will be more likely to reign in the budget next time.

Consider any purchases from the perspective of risk versus reward. One of the product areas currently in vogue is threat intelligence, which involves obtaining information about known active security issues, and using this information to strengthen organizational protections. It all sounds wonderful on paper, but most organization don't have security operations that can truly make use of this data. As such, they pay large sums to get it, and then can't use it. 

Generate good metrics

If you will excuse the expression, business leaders are from Mars, and information security people from Venus. The business folks often think primarily in terms of the overall monetary impact of a decision. We in the security world just want the tightest security possible. If you make good choices in terms of security spending, and can demonstrate after the fact via good metrics that the choices paid off, it will be much easier to sell the need for additional expenditures later.

Bottom line -- we in risk management do not function autonomously. We are part of the business or organization, and anything we do must be of benefit to the business. When we see ourselves in this context, we will be seen as business contributors, and not adversaries.

Copyright © 2016 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.