In our series on risk here at the Firemon blog, we have clearly stated that network security is all about risk. So if risk truly is the yardstick we should use to measure the state of our organizations security, why are so many of us not measuring risk correctly? There are many factors that contribute to this issue, but ultimately there tends to be one overriding issue that affects organizations perspective around security and risk.

Too many organizations view security and risk reduction as a project rather than an ongoing process. There are a number of security arenas where this myopic perspective of security as a project is displayed. Compliance initiatives around PCI DSS, HIPPA, GLBA, etc. tend to get slotted as a project to complete, and after said completion, security has been achieved. While compliance initiatives are an important and depending on the industry, required part of an organizations security efforts, they are not a project to complete that results in a state of security and therefore reduced risk. Time and time again, we have seen too many organizations assume that their PCI DSS compliance equals a secure network, only to be shocked when they are subsequently attacked.

Similarly, implementing a vulnerability analysis and remediation project has become most organizations default way to identify and reduce risk within their networks. Typically an organization will run an enterprise vulnerability scanner at set times, compile a list of the vulnerabilities identified, possibly prioritize actions based on asset value, and then schedule patch work for the next 2-3 months to fix the 100’s or 1000’s of vulnerabilities listed by the scanner. As we saw with compliance initiatives, too many organizations treat vulnerability scanning as simply another project to tick off the list, and once complete, assume they are secure. The vulnerability scanner also has no knowledge of the network security controls that are in place, and therefore is unable to truly identify exactly what is the most severe risk to the network security based off what is truly reachable or exploitable as we have previously highlighted on our blog. Vulnerability Scanners are a vital tool within any organizations remediation strategy, and one that hopefully most organizations are utilizing. They are not the end-all solution answer to risk by themselves though.

In both security arenas we discussed above, there is no real time, ongoing, effective measurement of the organizations true exposure to risk.  Project based approaches do not allow an organization to truly see how the efforts of the organization to reduce risk ultimately affect the overall risk posture. In both cases, they are gaining a false sense of security simply by completing projects related to security. To truly manage and reduce risk, organizations need to make the management of risk a daily part of their operational security. In order to operationalize risk, practitioners need to leverage a tool that fully measures all of the elements that affect the risk to the network, prioritize the actions that need to be taken, highlight the impact those actions will have on the security posture, and allow the organization to see how their risk posture has changed over time or as new changes have been required within their network connectivity. The key element to said tool must be a truly effective measurement of risk to enable risk management to become a daily operational function of security. In our next post, we will discuss what elements are required to fully and accurately measure risk to a network.