In many discussions about information security, you will see references to risk, risk management, risk assessment, etc. For some people, this seems like an obvious association, for others, there appears to be a clear distinction between the two. For the later, they tend to think of security as a technical effort and risk as an audit/compliance effort. I understand where this idea comes from, but I don’t agree. From my perspective, Security is all about Risk. Whether you are talking about securing your retirement financial security, securing your home or securing corporate information assets, you are talking about mitigating or limiting the RISK from the threats that pose potential harm to what you want to secure.
So why accept any level of risk? Because it is necessary to live or conduct business. We accept risk of illness when we step outside. We accept risk of data breach when we connect to a business partner. In both cases, it is simply a reality we accept.
The practice of Information Security is to protect assets from harm. As an industry, we often refer to these activities in terms such as, “securing the network”. However, it is critical to understand that installing a new security technology to secure (verb) the network or application doesn’t actually result in a secure (adjetive) asset. Instead, it is implemented to reduce the risk to that asset from a perceived or real threat, not eliminate all risk from all threats. To actually secure something completely, where there is no risk, would ironically require destroying it. To guarantee security of the network would require completely blocking all access (at which point it is no longer a network). And so, the practice of Information Security, like daily life, is an exercise in managing acceptable risk.
But we can do more than just accept risk. We can and should manage risk. While we can’t eliminate all risk, we should manage risk to acceptable levels. But this is not standard practice. While many companies have some form of Risk Management, it is not the central component of their security practice. Instead, it is something that is layered on top of their security practice. In fact, many companies create separate groups; one to manage security and one to manage risk. The security group will install and operate security technologies and every so often the risk group will inform them of problems that need addressed. If risk were truly the center of our security practice, risk would play a role in all daily operational activities and the effectiveness of those security activities would be measurable impact on the risk to the assets we wish to protect.
Instead, security groups get lost in “securing” the enterprise. Without a measuring stick for success beyond, “don’t get hacked”, we continue to turn to new technologies promising a new level of security or to address a new threat. We lose sight of the real reason for the technology, to limit risk. I don’t see this as a problem security operations created, I believe it is a problem with executive leadership not defining success clearly. But it is the responsibility of security to provide the correct picture and data describing security in terms of risk that is consumable by the executive leadership. Until these two things happen, security will remain an impossible task with an impossible goal to “secure the enterprise” while enabling business.
I believe we can get there. I believe that measuring risk is where it needs to start. This post is the first in a series of posts that will appear here on the FireMon blog detailing why we think measuring risk is so important and a way to make it possible.