When I looked for the tag, “Security” over at technorati, 1,902 posts from 417 blogs match this tag. When I looked for the tag “Risk Management,” only 33 posts from 8 blogs match this tag (the tag “Risk” by itself produces a bunch of boardgame fans).

I think this merits some consideration, since it says to me that the vast majority of thinking about “security” is occurring in a vacuum. People who talk about”upgrading from IDS to IPS,” may be trying to secure their networks, but they’re not managing risk. And if they’re not managing risk, then they’re just playing with geek toys. The fact that it might make the environment safer is just a lucky side-effect.

The standard defense is, “Because it’s more secure!” I know since I’ve used it myself. Occasionally it was because I knew that the person with whom I was having the discussion couldn’t or wouldn’t understand my reasoning or there was a lot of technical nuance involved, but sometimes because I just “felt” that something was right, even if I couldn’t justify it.

In the modern corporate world, however, feeling that something will make a difference is not enough–it’s enough to serve as a starting point to real Risk Analysis, but it’s not a justification in and of itself. Somewhere, a security vendor’s salesperson is taking me off their Christmas card lists right now, but that’s the price I pay for speaking the truth ;-), which is, More security is not necessarily better.

This is part of the view of Security as a series of tradeoffs. What may be an acceptable tradeoff to some is not to others. What may be a necessary improvement to some is not to others. What may be a Good Thing to some is not to others. Anti-Spam filters have cost people I know consulting contracts. The “security” process for poking holes in the corporate firewalls at my employer have cost us major deals. In either case, there were people who could argue correctly that Security had hurt the company.

The key thing to remember is that it’s not the Security Team’s job to make this decision!. The Security Team’s job at the strategic level is to provide the Management with accurate, meaningful information about risks to the company’s assets. If they can bring some options for mitigating or transferring the risks, even better, but it’s up to Management to manage the risks–that’s their job. Let them, or you will find that they will quite happily transfer the risk of your bad decision back onto you.

With SOX currently dominating the Executive Suites, that’s not necessarily a Bad Thing–those guys can now go to jail if they sign off on financial statements which are later found to have material errrors. As a result, they genuinely want to know about real risks to the company’s financial reporting abilities and are much more likely to over-value the asset when looking at mitigation strategies. They tend to get a bit cranky if you drop a hot potato on them without at least a suggestion or two–no matter how outrageous–but that’s life in the Big City. Know that and act accordingly.

Going forward, the value of Security, by which I mean the ability to ensure the Confidentiality, Integrity, and Availability of an organizations (technology) assets is becoming less about deploying IDS, hardening servers, or deploying firewalls and more about being able to effectively understand communicate risks to the business.

That’s not to say that there won’t be plenty of work being done to deploy security technology and products. Those projects will need to be defined and explained in such a way that Management they are solving problems the company actually has.

In order to actually do security going forward, we have to approach it from a business perspective. Thus, I present three questions which must be addressed for any (security) technology

1. Does The Business think it has this problem?

If The Business doesn’t think it’s a problem, it may or may not be because it isn’t a problem. Find someone on the Business side whom you can trust to provide honest, accurate assessments of what the decision-makers think about a particular problem. If it’s not a problem now, it may become one in the future. That’s what shelves are for.

2. Does this solution actually solve The Business’ problem?

Nothing destroys credibility more quickly than doing something that could later leave people feeling scammed–they will develop a level of cynicism toward you (and possibly toward the whole discipline) that you (and your successor) will never be able to dispel. If you’re not sure that the solution fits the problem, don’t hesitate to ask. And once you ask, listen to the answer and be prepared to act accordingly–it both decreases the odds of building an impenetrable Veil of Cynicism and increases the odds you’ll get it right next time.

3. Is it a cost-effective solution to the problem?

This is really a restatement of #1, but if the problem is too expensive to solve, then it’s not really a problem. It may become one later, if the underlying assumptions about the cost of either an incident or the solution change, so if you stay aware (going back to “fee One of the hardest problems with Risk & Threat Analysis is providing an accurate Quantitative Analysis of the problem, especially if the Threat is new or unique to a particular environment.

So what’s the good news? Risk Management is the future. If you learn to Think About Risk and Quit Playing With Toys, you can have a long and relatively-prosperous career in Information Security. The bad news, though, is that you no longer get to Play With Toys. c’est la vie.

[…] hreats and counter-measures improve in response to each other. Applying my still-evolving Three Question Model, the questions to be asked about Two-Factor Authentication become, Does it addres […]

[…] een more about making lists and doing math, whereas “Security” mostly involved Playing With Toys. We have been played for fools by our own Management. They told us we should &#8220 […]