No more 'Department of No'
have had the opportunity to work as both an information security and risk management leader. Through this process I have come to believe that one of the biggest failings of infosec is our position as a gatekeeper for projects. A move toward a relativistic risk management approach can significantly improve organizational security.
Traditionally, information security has been a gatekeeper. There will be an information security review of an initiative, with some kind of result that boils down to “pass” or “fail.” The review may be a manual review of a project by a security analyst, a vulnerability scan run against a new application, static code analysis performed against some source code, or a questionnaire that’s completed and reviewed.
Whatever shape the review takes, there will be a result which is either a stamp of approval or rejection. This process turns security into a binary function. A system is either secure or it is not, with no middle ground. This does not accurately reflect reality.
In addition to turning security into a false dilemma, it also imparts far too much power to the information security team. They are forced into making significant business decisions that should be decided by senior business leaders. Should that application enhancement be released? Should that new web solution be turned on?
In the traditional security model these types of decisions may be in the hands of a security professional who may understand the security impact, but not the revenue, reputational, legal or other impacts of the decision.
Rather than this binary information security model, I believe the right solution is a risk management focus, where our review results are not a 1 or a 0. Rather, it is a risk spectrum from which we report the relative risk of a particular initiative. That risk rating is provided to our customers in order to empower them to make a business decision.
We can still use those same review touch-points (manual reviews, vulnerability scans), but instead of an output of yes or no, we assign the risk a likelihood and impact. The product of those elements becomes the risk score, and that score must be communicated to the appropriate business owner to make a risk management decision. Do they mitigate the risk? Avoid it? Accept it?
If you are a security person and you are concerned that security is losing power with this model, don’t be. You are still creating the risk score for these reviews, and your judgment is critical to this process.
In fact, this shift allows you to provide unfiltered feedback about the risk of the project without the need to soften things by simply providing a “passing grade” as we tend to do in the traditional model.
Is simply saying "no" all that helpful? Being the “Department of No” sets us up as the enemy and encourages people to seek ways to circumvent us. In addition, in those high profile cases in which a security professional does say “no” to releasing an important product or enhancement, the business may very well overrule him anyway.
By providing the security review in a risk management format, security professionals are filling the role for which they are best suited — evaluating security. The business owner can weigh the risk/reward aspects for himself.
Another benefit of the risk management approach is that the result of the security assessment can and should be reviewed later. The risk should also be stored in a risk register, where it can be reviewed periodically to determine whether the likelihood or impact of the risk has changed significantly.
A risk that may have been considered low impact may become a much bigger deal if the type of stored data changes. Or the likelihood of an exploitation could dramatically increase if a system goes from a private network to the Internet. In the old binary security world we are likely to lose track of these types of changes.
The implementation of an information security program focused on risk management not only increases the security of the organization, but also increases collaboration between security professionals and other technical stakeholders. It frees up security professionals to do what they do best, rather than make business decisions that should be left to owners and executives.