/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsLarge amounts of information are stored in management dashboards which we rely on for feedback before deciding on what events need to be fixed immediately and what can wait for remediation. Instead of looking for unusual signs and signals indicating risk, the dashboard becomes the system of record by which organizational decisions are made: it can however provide a false sense of comfort that all is well when it clearly isn't.
In this article, Paul Black points out areas of significant risk that are often the last to be examined by security management difficult to quantify within reporting systems.
Accepting Realities in Dealing with Risk
Regardless of industry, all management naturally shares a common desire to eliminate threats and risks to their organization. Within information security and risk organizations this desire is considered a 24x7 urgency. Yet the desire to eliminate threats and risks is generally complicated by two key elements- the intersection of money and reality, and business.
There is doubtfully a C-level executive who isn't dissatisfied with the budget they have to cover the entire scope of their responsibilities. This means that virtually all firms don't have sufficient finances to allow their security organization to obtain all of the tools, methods, processes, or even people, required to protect their company from all of the threats facing them. It is impossible to reduce risk to zero; that's why acceptable risk is an operating norm and there is no other option but for you to accept some level of risk and press forward.
In trying to protect assets without enough resource, information security organizations tend to try to eliminate the broadest and most obvious risk scenarios or other threat vectors given the dollars available. Reporting risk activities essentially becomes a matter of aggregating potential risk information, summarizing it across dissimilar areas and then distilling it into a graph, chart, or a presentation to create a status report for management.
But given the many variables relating to risk, actually documenting the role of information security in protecting business can get very messy. As a result, opinions are formed and decisions made on the perceived accuracy of tools that aggregate and distill huge quantities of data into blocks of workable intelligence. But in the context of information security this is where you can run into big problems.
Responding Effectively to Risk
Classic security management systems rely on reporting that are predicated on defined boundaries with output assigned traditional stoplight colors that reflect the status of operating conditions, (red, yellow, green etc). The availability of risk information in dashboard form can therefore allow management and executives to assess a security risk posture, and, when the risk reporting lights are all green, take comfort in the knowledge that they are responding appropriately with respect to protecting your company from both financial and reputational exposure.
But are they? Some psychologists and sociologists suggest that people naturally ‘want' to see green lights because invariably it points to a job well done, which results in compliments and financial rewards. In contrast, ‘red' equates to bad and is considered to be a fault. Therefore the desire or drive towards going ‘green' in certain situations can create an inherent complex of false security. And typically in risk management it is the ignored bumps and noises that cause the real problems. Hence healthy functioning critical systems are totally necessary in order to stamp out the most damaging risk vectors threatening your company.
Measuring and reducing risk
Security management programs are invariably based on the core principle that following evidence-based risk deterrent models will allow you to reduce information security risk in ways that can be empirically measured. Mostly by common sense. For example, located within the Conclusions and Recommendations section of every Verizon Data Breach Investigations Report (DBIR) has been the statement: "87 percent of breaches could have been avoided thru the implementation of simple or intermediate controls. All of these were the standard, run-of-the-mill practices that we in the industry see and use everyday".
Most recommendations are basic common sense initiatives that have a proven track record of reducing risk. However, there is one catch-all recommendation that often becomes the very last one that companies focus on or avoid altogether: that is actually defining what is suspicious and anomalous and then actively looking for instances of them. This could become paramount to your organization's long term health. More specifically, says the DBIR, you should prepare to defend against and-especially-detect very determined, well-funded, skilled, and targeted attacks. The fundamental thing is to discover what is critical; identify what constitutes normal behavior, and then set focused mechanisms in place to look for and alert upon deviations from normality.
Balancing between freedom and control
For most IT professionals, security translates to building a fortress-like perimeter with layers of defense and then watching the perimeter for signs of suspicious activity. Yet this can create a delicate see-saw between too much security, which hinders business, and too little control which places the company at greater risk.
In this balancing act, what is almost always overlooked is the natural behavior (ebb and flow) of users and the movement of company data associated with those users. You should review the areas that fall into the category of ‘suspicious' or ‘anomalous'-those easily overlooked things that make us pause but can become easy to avoid or put off until a later date.
Too often the very things that cost the least amount of money to review and remediate are the vectors that ultimately cost most. Not all problems show up on a dashboard. Being attuned to what seems suspicious or anomalous doesn't necessary mean spending large amounts of additional corporate dollars. Eliminating easy to find risk can usually be accomplished using tools likely already in existence at your firm.
Even if a risk dashboard can never mitigate all areas of risk, to truly succeed you can discover what is critical, identify what constitutes normal behavior, and then set focused normal mechanisms in place to look for and alert on any deviations from normality.