Over the past few months, however, my university and I have been negotiating a massive risk assessment/ analysis with follow-up management for a year. We are proposing FARES (Formal Analysis of Risks in Enterprise Systems), an entirely new paradigm. As readers of this column know, FARES is about as far from the current state of the practice as it's possible to get and still be doing risk management.
But the sponsor, after thoroughly surveying the risk management landscape and trying many risk analysis products, decided this was the only answer. Why? Because there is absolutely nothing else that will manage risk in a network of this size and complexity, regardless of what the vendors say.
For the first time, in my experience, an organization was willing to risk a new approach simply because it was prepared to admit that all of the other methods being offered don't work.
The big consulting companies present old wine in new bottles and off they go, doing the same old thing but with a new batch of brochures and marketing hype. And the results? Well, I once had an email tag line that said "If you keep going where you've always gone, you'll end up where you've always been."
Now that some of that realization is sinking in, big organizations are getting ready to take a risk or two and try something that shows a lot of promise for solving problems that have never really been solved before.
There still are some providers taking advantage of the old FUD-factor that "nobody ever got fired for buying [insert vendor here]." When that happens everyone loses. For example, consider the recent FBI database debacle. How many times have we seen similar failures in the past?
If you are going to implement a major information security project, new or old paradigms aside, manage the project, assess the risk and manage the risk. Will the project complete on schedule? How do you know? Will it be on budget? How do you know? If you can't answer, even if you are willing to seek innovative solutions to tough information-assurance problems, you're headed for far bigger problems from the project itself.
Peter Stephenson is director of information assurance for CeRNS, The Center for Regional and National Security, at Eastern Michigan University