I have been talking for years about a new model of management, the purpose of which is to achieve a number of goals. First is to implement a model that is predictive regarding threats and controls. This is to ensure that we are implementing controls before we have an incident or an audit finding. Second is to have risk-level goals decided on by leaders of the organization, not by the security team. The ability to ascertain the risk tolerance of the business gives us a benchmark to hit as opposed to just “guessing” and then getting political pushback. Third is to institute a tight mapping between every control and its threat justification. This is to ensure we have a valid reason for each control we put in place and a response for each threat. Fourth, we must have an assessment component to determine a desired result, as well as a true risk rating.
There are two main methodologies that I use to do this. The first is the equilibrium methodology, which works to establish a balance between the threats and controls. It achieves this by using leadership’s perception of what appropriate risk level is at the fulcrum. The perception is obtained via a survey of executives that asks them how vulnerable are they willing to be for what value, as well as how much are they willing to risk. This simple model is the businesses direction that information security should take and implement because it results in less debate over why the controls are being put in place and encourages stronger support from leadership to help push the initiatives through.
The second methodology is risk management. The concept of risk is rarely well-conceived or implemented in most organizations. In our strategy, we start by going back to basics. In building out a threat taxonomy that details the threats we have seen and could yet see, we lay the groundwork for the controls. From there we detail the specific controls needed to address each threat.
A three-tier controls model follows that lays out the policy, standard, processes and “live” drift identification and remediation for each threat. The control gaps that are identified clue us in to what is needed in the security plan.
Lastly, an assessment of each control that is implemented is performed for efficacy. Then, findings are put in context with each particular environment, from which we can then derive three buckets of risk: value, brand and operational.
It is these three categories that get communicated to the business as the enterprise risk levels. These categories establish a relevant and understood language of risk to the business executives so it is intuitive to them. While nothing is perfect, this approach is a step forward toward implementing structure and predictive maturity to what is commonly seen as chaos and reactive.
»A need to grow
In spite of evolution in the security marketplace, we still have yet to mature as an industry beyond the methodologies and theories that were initially developed, says Somaini.
»Step by step
“Drift identification and remediation” is how Somaini identifies a live system that has gone from not having an issue to having one, and bringing it back into good standing.
»Once in place
With this method, Somaini tracks all controls. These are structured in a common framework, such as ISO 27001, to ensure interoperability with external audit requirements.
Events of the past year, such as the revelations from WikiLeaks, the Stuxnet attack on Iran’s nuclear facilities or continuing network breaches, illustrate the evolving risk landscape.