Hey, what’s for supper? We are having a risk-based pot roast tonight! Roll the dice.

I perform a search on the term ‘risk based’ and I find 60,500,000 hits in Google.  I hyphenate the search and I get 336,000,000 hits in Google.  It is an amazing finding. Risk has taken over the personality of information security and many other functions in our lives. Risk-based security and risk based security each net 109,000,000 results while baked in security nets 21,000,000 and bake-in security, 91,900,000.  If I apply a non-scientific approach to these terms, I find something that clearly reflects where we stand with respect to our overall information security posture at commercial and not-commercial entities in the United States. 

Information security has been rife with risk-based approaches for the past several years. GRC solutions have inundated information security conferences. Corporate boards want to hear risk-based decisions so they can choose what information security technology to deploy and what they can possibly do without.   Whole organizations focusing on information security risk management have sprung up faster that new housing. We have:

• ·         Risk based internal auditing
• ·         Risk based testing
• ·         Risk based performance management
• ·         Risk based decision-making
• ·         Risk based assessments
• ·         Risk based site evaluations
• ·         Risk based pricing
• ·         Risk based organizations
• ·         Risk based investments
• ·         Risk based vaccinations
• ·         Risk based inspections
• ·         Risk based authentication
• ·         Risk based approaches
• ·         Risk based estimates
• ·         Risk based mortgages
• ·         Risk based corrective action
• ·         Risk based haircuts
• ·         Risk based security
• ·         Risk based capital
• ·         Risk based food inspection
• ·         Risk based coding
• ·         Risk based supervision
• ·         Risk based applications
• ·         Risk based profitability
• ·         Risk based standards
• ·         Risk based manufacturing
• ·         Risk based models
• ·         Risk based process safety
• ·         Risk based sex
• ·         Risk based verification
• ·         Risk based management
• ·         Risk based premiums
• ·         Risk based border strategy
• ·         Risk based hiring
• ·         Risk based firing
• ·         Risk based certification
• ·         Risk based lending
• ·         Risk based contributions
• ·         Risk based predictions
• ·         Risk based classifications
• ·         Risk base planning
• ·         Risk based regulation
• ·         Risk based cleanup

and the list goes on forever.

All this risk is like eating at a Chinese buffet in an old, moldy Massachusetts restaurant in the middle of August after 20 days of rain, high humidity and excessive heat (much like this summer and much like many old restaurants in Massachusetts). You can apply the controls all you want, but someone is going to get sick and vomit at a minimum. Going back to the unscientific Google searches, we find that ‘risk based ‘ of any type represents 68.7% of the searches while ‘baked in’ represents 31.3%.  This is quite indicative if not overly optimistic when it comes to the ‘baked in’ number and, it represents a view of our overall commercial and government information security posture. Every day we read about performing information security risk-based decisions to ensure we align to the business and fit in. At the same time, we read about baking security in so that it is part of the process and transparent, again aligning with the business.

“Security needs to be baked in say experts”

“Baked-in Security – Computerworld”

“With McAfee deal, Intel to bake in security”

“Cloud Security: Baked in or bolted on?”

“Baked in Security: security Blog”

and so on.  We see ‘baked in’ and ‘risk based’ in the same sentences. We hear it at conferences and see it in information security strategic plans and programs.  The two phrases appear together like bread and butter but slightly less than 1/3 of the time (68.7% to 31.3%).  The problem is, you cannot have security ‘baked in’ while having a ‘risk based’ information security program. They are mutually exclusive. In fact, risk based anything means that we are exposed to daily and even hourly failures. Many of these failures we do not even realize are occurring. One such organization had over 5,000 breaches in one year alone that resulted in the loss of sensitive information (each time). This is an organization that uses risk-based approaches. If we truly bake security into our information systems, then security is part of the fabric of the system much like a server has physical properties that are undeniable, security is a fact of every facet of the system.  In place and undeniable.  It is much like building a house.  Every step of the way must past code without slighting the code for risk. The foundation must be to code; the plumbing, framing, insulation, electrical, siding, roofing, etc. They all must meet code or they are fixed to meet code (https://www.treadstone71.com/whitepapers/BuildingaSystem.pdf). Code is baked in. Risk is choosing what part of your house you ‘bet’ will fail based upon chance.  Will it happen when you sleep at night? Will it occur while you are away? Will it happen during the day when the baby is sleeping or at dinner time when your family is there for Thanksgiving? You just don’t know since you have applied the limited knowledge of information security probability and likelihoods of occurrence.   In the information security world, we know this is completely unknown. We know it is largely a qualifying act. There are no actuarial tables for information security (https://www.ssa.gov/oact/STATS/table4c6.html) that can predict death.

 We cannot predict when a system will be breached (we just know it will be). We use risk to justify costs to make the business happy but this is really placing band aids on the system since security is not baked in. If security is baked in, then risk around controls is removed since it is built to code and part of the system.  If security is baked in, it truly is a cheaper option for the lifecycle of the system. We build skyscrapers based upon fire codes, building codes, environmental requirements, safety codes and the like. They stand tall against force majeure. Yet we build information systems like we throw together a lean-to on a weekend camping trip. It will suffice and the risk of rain is only 30%. Ad-hoc, different every time and not made to withstand much more than a gentle shower.  It is the level of risk we are willing to take to meagerly protect our information and intellectual property.  Yet we believe it is the way to protecting our systems. http://blogs.csoonline.com/1653/information_security_program_management_maturity_model We have been lulled into the false sense of security and due diligence all the while we are being exploited daily. Until such time as security is truly baked in and risk goes the way of the dodo, we will continue to suffer breaches and severe loss of data. They cannot exist together in information security. They are mutually exclusive and only one guarantees exploitation. Bon appetit.