Embed Size (px)
Citation preview
28-33_RealityCheck 7/9/03 10:23 AM Page 28
Why hasn’t a major television network produced a show
about IT security? At first glance, it seems a subject
fraught with drama-a cross between high-tech thriller and
political saga, with a little comic book humor thrown in for
the kids. Our hero is the Chief Information Security Offi-
cer (CISO) of a major enterprise, and we join him as he
battles espionage and intricate hacking attempts.
But there’s a catch: Before the CISO can thwart
would-be attackers, he first must convince execu-
tive management that the threats are big enough
to warrant a hefty measure of protection. And
here’s another twist: Sometimes the threats
are not big enough. So we end up watching a
CISO that sometimes is Batman, with all
of the bells and whistles to protect
Gotham City from disaster-and
sometimes he is just Bruce Wayne.
Reality
check
Balancing cost and risk is the
secret to IT security success
A U G U S T 2 0 0 3 D E L L I N S I G H T 2 9
Reality check [ Cutting Edge ]
By Sarah C. Close
28-33_RealityCheck 7/9/03 10:23 AM Page 29
[ Cutting Edge ] Reality check
Fascinating? Not really.
Who wants to watch a superhero battle
evil on a budget? Yet that’s the case in the
world of IT security. It’s not a thrilling
drama—it’s more of a reality show.
Instead of hurling a constant barrage
of high-powered artillery at their
assailants, CISOs must walk a thin
and realistic line between cost and
risk, weighing asset values and loss
expectancies against the likelihood
of certain threats. To strike that
balance and paint an accurate
picture of potential vulnerabilities
and foes, businesses must engage in ongoing
risk assessments that help justify both the
expense and value of security.
An enterprise-wide adventure
The task of justification is a necessary
burden in today’s IT world. Like it or not,
IT organizations are under tremendous
pressure to align technology with business
objectives. Budgets are tight, and executive
attitudes have shrunk from the gaping
optimism of the late 1990s into a more
practical mindset. Companies now accept
that an IT infrastructure built for the sake
of IT only neglects the importance of the
business it is meant to serve. Likewise, IT
security implemented purely for the sake
of protecting IT investments—and not for
protecting all enterprise assets, including
the corporate purse—neglects the value
of corporate objectives. It also shows the
kind of dichotomy between IT and busi-
ness that some experts believe
triggered the downfall of the
dot-com dominion.
Risk assessments are the
means by which companies can
visualize the alignment between
IT security and business, putting
faceless threats and intan-
gible asset value into a
language that all C-level
executives can under-
stand. Only through
mutual, enterprise-wide
communication can an
accurate risk assessment
take place. CIOs and
CISOs are responsible
for communicating the
strengths and weaknesses
of the IT infrastructure to
the rest of the management
team, while CEOs and CFOs
help convey the business
requirements.
William Hugh Murray,
certified information
systems security personnel
(CISSP), agrees. Murray is
an executive consultant with
TruSecure Corporation, an
international managed secu-
rity services provider based in
Herndon, Virginia. In an ideal
risk assessment scenario, he
says, “Security staff first
28-33_RealityCheck 7/9/03 10:24 AM Page 30
A U G U S T 2 0 0 3 D E L L I N S I G H T 3 1
recommends to general
management a choice of risk postures, and
general management chooses the level of
risk that it is comfortable with.” At this
point, the security staff works to match
present risks to company objectives by
selecting the protective measures that
satisfy both categories.
As obvious as it seems, achieving this
kind of company-wide cooperation can be
a frequent holdup in the execution of risk
assessments, according to Chris Richter,
director of security product management
at Cable & Wireless (C&W), another global
provider of managed security services.
“For risk assessments to be done prop-
erly,” Richter says, “the entire company
must support implementing the project,
which is often a very large undertaking.”
Unfortunately, many companies don’t
think about putting this much effort into
analyzing risk until a threat already has
appeared. They either misunderstand the
purpose of the exercise, or they don’t
believe the cost of the assessment will
justify its potential savings.
Figuring it out
Aside from recognizing the need to engage
all aspects of senior management in the
process, experts typically have disagreed
on the preferred methodology for assessing
risk. Quantitative supporters give a thumbs
up to a mathematical approach because it
converts risk into the language of value
that CEOs and CFOs—the ones controlling
the purse strings—best understand. A
quantitative risk assessment assigns
numerical or financial values to certain
variables—such as annual loss expectancy
(ALE), single loss expectancy (SLE), or
total cost of ownership (TCO) for an asset
or security solution—and then plugs those
figures into formulas that help gauge the
consequences of a particular implementa-
tion or attack. By weighing security in
terms of dollars and cents, the business
benefits—and the effectiveness of the secu-
rity solutions in play—become apparent
and justified.
However, qualitative enthusiasts say
that purely formulaic strategies ignore the
dynamics inherent in today’s business.
Technology is constantly changing. Asset
value is constantly changing.
And, as anyone who watches
the news can attest, threats are
constantly changing and often
concealed. “A major limitation
is visibility into threats and
vulnerabilities,” TruSecure’s
Murray says. “Threats change
over time, and vulnerabilities
may be both numerous and
obscure.” Other variables include
expertise, global markets, politics,
and corporate or departmental
objectives. To approach risk assess-
ment without adapting to all of
these variables is counterproductive
and might result in inaccuracies.
Not surprisingly, seasoned secu-
rity professionals now are leaning
toward a combined approach to risk
assessment that covers four basic areas:
what you are trying to protect (asset
value), what you are protecting assets
from (threat analysis), the likelihood of
those threats (vulnerability assessment),
and the potential cost to the business
(loss expectancy).
In analyzing each of these areas,
Richter says, “C&W recommends both
An ounce of
prevention?Does risk management equal risk prevention?
No way, experts say. Total technological secu-
rity does not exist. Our IT infrastructures
rely far too heavily on networked connections
to survive inside a vacuum. Although total risk
prevention is impossible, companies can
implement preemptive measures. Examples
include: firewall policy modification, installa-
tion of intrusion detection devices and soft-
ware, distributed denial of service (DDoS)
mitigation, the review and elimination of
vulnerabilities in custom-generated software
code, software patch applications, and the
strengthening of authentication practices for
virtual private network (VPN) users.
28-33_RealityCheck 7/9/03 10:24 AM Page 31
[ Cutting Edge ] Reality check
quantitative and qualitative
approaches to risk assessments, because
both play a very vital role.” Similarly,
TruSecure recommends the use of a
simple risk equation (Risk = Threat ×
Vulnerability × Cost) that recognizes some
costs will be without dollar figures.
These so-called soft or semi-soft costs
include lost productivity, damage
control, and lost customer loyalty—and
enterprises never should discount them
from an accurate risk assessment.
The weakest link
Of all the elements within risk assess-
ment, one in particular offers enter-
prises greater control over security:
vulnerability assessment. Unlike
threat assessment, which takes
stock of potential attackers beyond
your reach, vulnerability assess-
ment provides visibility into infra-
structural weaknesses. These
weaknesses are places within
your infrastructure where attacks
might be successful, but they
also are places that you can
monitor and modify at will.
The trick is to find these weak-
nesses before the hackers do.
Where do you look?
Everywhere, Richter says.
Companies should do
“everything from analyzing
software code for buffer
overflow vulnerabilities to
making sure that the card
scanning system on the
front door is working
properly, or even deter-
mining how easy it is to
obtain unauthorized
router log-in credentials from
an overly trusting system administrator.”
Cable & Wireless offers a managed vulnera-
bility scanning service that helps customers
pinpoint their Achilles’ heels on an ongoing
basis. “A good managed vulnerability scan-
ning service can not only reveal to
customers what common hack-attack risks
they are exposed to,” says Robert Hansen,
security product manager, “but also how
their vulnerability to such attacks has
changed over time, if at all.”
More importantly, companies that can
identify their vulnerabilities have the
opportunity to repair them and thereby
prevent some attacks—or at least mitigate
risk. “Given that a threat assessment is part
of every risk analysis,” Hansen says, “the
likelihood of the potential threat decreases
dramatically when proactive vulnerability
scanning is combined with risk mitigation
by trained security professionals.”
Now what?
After accurately assessing the risk your
company faces, it is time to deploy the
appropriate security measures to manage
that risk. Now, the CISO and security
experts become superheroes again. By
applying the determined budget across the
potential threat windows, the security
organization should be able to propose and
implement a detailed posture of defense
that will adequately, effectively, and effi-
ciently protect the enterprise.
Gartner analyst Mark Nicolett advises
companies to focus on these four critical
pillars for effective IT security:1
» Security risk, organization, policies, and
architecture. “A key element of effective
IT security risk management is to identify
exposures and their potential costs so
that security policies—and an overall
security architecture—
can be developed to minimize these
exposures and costs.”
» Security infrastructure. “An enterprise’s
security infrastructure is made up of the
tools, technologies, and tactics that are
deployed to protect the network perime-
ter and internal resources.”
» Security administration. “Enterprises
cannot realize satisfactory returns on
their investment in security planning
and policy development without effec-
tive execution and implementation.”
» Business continuity planning. “Busi-
ness continuity planning has evolved
beyond its traditional focus on disaster
recovery to include planning and design
for IT and business process resilience.”
And because risk assessment should be
an ongoing and adaptable endeavor, certain
elements of the process—such as vulnera-
bility assessments and asset valuations—
should continue regularly throughout the
security strategy.
Although The CISO Show probably
won’t grace your TV screen next season,
the challenges of IT security are still prime-
time fodder. The climate of this era, torn
between terror alerts and a timid economy,
has forced us to focus simultaneously on
defense and value, on the implementation
of stringent protection, and on the cost
justification of such protection. Although
companies cannot fend off every hacker
attack with laser beams and pulverizers,
they can approach security with the realism
it deserves. An accurate risk assessment,
coupled with flexibility and an acknowledg-
ment of boundaries, could be the most
important mechanism in aligning business
and technology, once and for all.
3 2 D E L L I N S I G H T A U G U S T 2 0 0 3
1 Gartner, Inc. Managing IT Security Risk in a DangerousWorld by Mark Nicolett. March 25, 2003.
…“soft” or “semi-soft” costs include
lost productivity, damage control, and
lost customer loyalty…
28-33_RealityCheck 7/9/03 10:24 AM Page 32
Reality check [ Cutting Edge ]
Don’t forget
your prioritiesMany organizations approach IT security with only a vague understanding of the hazards they face.
Jennifer Asprey, CISSP and a senior security product manager with Cable & Wireless, says that
many C&W customers come looking for managed security “after performing some kind of security
assessment” rather than conducting an overall risk analysis. “Most of our customers understand
the overall threats in the industry and come to us with a perceived need,” Asprey says. “But very
few customers understand how to prioritize the risks or determine whether dollars are better spent
on one security service versus another.”
Prioritization is a critical but often overlooked step in the risk assessment process. Beyond simply
identifying assets and threats, companies must determine which assets are the most valuable,
which threats are the most manageable, and which losses are the most tolerable. William Hugh
Murray, CISSP and an executive consultant with TruSecure Corporation, offers some helpful rules
of thumb: “Do not spend more money mitigating a risk than tolerating it would cost you. And never
spend more money making a decision than the value of the decision.” In other words, he says,
recognize your “implementation-induced limitations”-such as budget, available expertise, and
time-and “limit the use of expensive rigor and discipline to those decisions that really require it.”
Companies also must consider the usability of the infrastructural components they are protect-
ing. “This is a careful balancing act,” says Asprey. “As the security of a given device goes up,
the usability goes down.” Prioritizing risks and assets can help a company better determine the
extent to which it is willing to make compromises.
A U G U S T 2 0 0 3 D E L L I N S I G H T 3 3
28-33_RealityCheck 7/9/03 10:24 AM Page 33
