The Problem
Would you ride on a space shuttle mission if you knew that the scientists and engineers who planned the mission and built the spacecraft couldn't agree on the definitions for mass, weight, and velocity? Probably not. Unfortunately, if you ask six information security professionals to provide their definitions for fundamental terms like "risk," "incident," and "threat" you're almost certain to get inconsistent answers. Likewise, if you ask security professionals to identify their organization's top "risks" you will invariably receive a list that includes concerns which, although important, aren't risks.
These terminology challenges have some profound consequences on our ability to be effective risk managers. These effects include (but aren't limited to):
• "Religious wars" between information security, audit, and other IT and business colleagues regarding the severity of audit findings and security concerns.
• Difficulty measuring (and thus effectively prioritizing) the concerns we have. After all, you can't measure what you haven't clearly defined.
• Challenges in obtaining business stakeholder buy-in for information security initiatives
The simple fact is that there is a lot of confusion, inconsistency, and even controversy around the basic notion of information risk and the fundamental risk-related terms we use. Until this is resolved, the security profession will remain hamstrung in its ability to accomplish our goals.
Crushing the opponent
Okay, maybe "opponent" is the wrong word. Perhaps "colleague with a different opinion" is more politically correct. And maybe "crushing" is inappropriate as well, so let's go with "helping."
However you want to phrase it, you've undoubtedly encountered circumstances where someone is sitting across the table from you insisting that some issue is "high risk" (or "low risk") when you know that they're wrong. When this happens, wouldn't it be nice to be able to deconstruct their argument piece-by-piece to better understand the truth — all the while limiting the chances of the discussion devolving into a "religious debate"?
What I've discovered over the years is that, very often, differences in opinion about risk level boil down to terminology, assumptions, and misaligned mental models. Someone asserts that something is a "risk" when what they really mean is that it's a "threat," or a "vulnerability." Logically and systematically talking through and coming to a clear understanding of the problem at hand can dramatically change the conversation and alter your course of action. (Frankly, it can also be extremely satisfying when the other person is wrong, but you didn't hear that from me.)
We're losing the battle
You may have heard it too — the world is unable to keep pace and is losing the war against cyber crime. It's not surprising, really. You see, in the organizations I've worked with over the past several years, invariably between 70% and 90% of the "high risk" issues the organizations have been wrestling with aren't high risk. In fact, about half the time the issues aren't even risks at all. As a result, these organizations have focused on and worried about things that don't warrant that level of attention, which means they haven't focused on the things that matter most.
Here again, when you dig into the root cause for the problem it starts with confusion about what risk is, which makes effective prioritization almost impossible. The simple fact is that, at the end of the day, management thinks about risk as the likelihood and severity of loss. That's what they want us to help them manage. If we are clear and consistent in framing our problems in those terms, then much of the confusion and complexity of our landscape evaporates and we can far more effectively measure and prioritize the challenges we face.
Given a choice...
If you had to choose between a car that will drive you from point A to point B, or a car that will drive you from point A to point B at equal (or better) comfort and less cost, which would you choose? The odds are good (almost certain, in fact) that if you ask executives whether they'd prefer good security or good security that's less intrusive and less costly, they're going to choose the latter.
In large part, this comes back to prioritization — i.e., not wasting time, energy, and money on stuff that isn't important. When you can identify and focus on the handful of things that matter most, and when you can explain the reasoning behind those decisions in terms management understands and finds meaningful, then the annual budget wars play out on a much more even field.
The bottom line
Information security is a complex and challenging problem space. If we want to be successful at managing it, we have to get a handle on our basic terminology. Otherwise, we've essentially chosen to ride that shuttle mission.
About the author: Jack Jones is EVP of Research & Development and co-founder at RiskLens. Jack is the foremost authority in the field of information risk management, and will be leading the Risk Management Summit at InfoSec World 2016.
