Firms realize that playing it safe is the riskier option

Share this article:

Over the past few months, however, my university and I have been negotiating a massive risk assessment/ analysis with follow-up management for a year. We are proposing FARES (Formal Analysis of Risks in Enterprise Systems), an entirely new paradigm. As readers of this column know, FARES is about as far from the current state of the practice as it's possible to get and still be doing risk management.

But the sponsor, after thoroughly surveying the risk management landscape and trying many risk analysis products, decided this was the only answer. Why? Because there is absolutely nothing else that will manage risk in a network of this size and complexity, regardless of what the vendors say.

For the first time, in my experience, an organization was willing to risk a new approach simply because it was prepared to admit that all of the other methods being offered don't work.

The big consulting companies present old wine in new bottles and off they go, doing the same old thing but with a new batch of brochures and marketing hype. And the results? Well, I once had an email tag line that said "If you keep going where you've always gone, you'll end up where you've always been."

Now that some of that realization is sinking in, big organizations are getting ready to take a risk or two and try something that shows a lot of promise for solving problems that have never really been solved before.

There still are some providers taking advantage of the old FUD-factor that "nobody ever got fired for buying [insert vendor here]." When that happens everyone loses. For example, consider the recent FBI database debacle. How many times have we seen similar failures in the past?

If you are going to implement a major information security project, new or old paradigms aside, manage the project, assess the risk and manage the risk. Will the project complete on schedule? How do you know? Will it be on budget? How do you know? If you can't answer, even if you are willing to seek innovative solutions to tough information-assurance problems, you're headed for far bigger problems from the project itself.

Peter Stephenson is director of information assurance for CeRNS, The Center for Regional and National Security, at Eastern Michigan University

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.