Vol 2 - Iss 2.1
April 27, 2011
Information Security Is Risky And Manageable
From the desk of:
Paul Sand, Sr. VP
"No Sugar Pills Required, But They Do Taste Good"
The placebo effect exists even when no one is taking sugar pills! This is painfully obvious in the cyber security world. As we look across the cyber security industry and see its enthusiastic embrace of risk management our spirits are buoyed. But generally, the facts bear out otherwise -- we are actually probably doing worse. We just feel better about what we are doing. What a strange phenomena!
Keep in mind the latest Verizon Data Breach Report still finds that 96% of breaches were avoidable via simple or intermediate controls. This still happens despite our embrace of risk management approaches. Take a look below for some high-level views on where risk management is "off the tracks" today.
-- P. Sand
In This Issue:
1. Letter from Paul
2. What's the Biggest Cyber Risk? [Go]
3. The Fastest Way to Reduce Risk [Go]
4. IP3 News & Events [Go]
What CFOs Worry About:
Top 5 Risks In Next 5 Years
1. Financial Exposure
2. Supply-chain/logistics disruption
3. Legal liability and reputational harm
4. Technology failure
5. Security breach
What's Your Biggest Cyber Risk?
A little old lady? ... You? ... Cyber criminals?
Doug Hubbard, author of The Failure of Risk Management, in an article in the CSO Magazine (Measuring Up, March 2011) tells his audiences, "... you all have the same biggest risk. The biggest risk is that none of you know that your risk management actually works." Many of the risk management officers and CSOs in his audiences usually start to argue the point, but Hubbard quickly drives home that none of them really do know.
In early, April 2011, the residents of Armenia and Georgia found that a 75 year-old woman with a shovel was an unmitigated risk that brought down internet service for hours. While it would be absurd to expect a risk management model to expressly cover the scenario of a 75 year-old woman with a shovel, it seems unthinkable that loss of a single transmission facility would have an hours-long impact to the internet of several nation states. Somewhere things really broke down.
What's the biggest problem with InfoSec Risk Models?
The risk models are really just unaided human intuition. Why? The challenges to model or measure something appear formidable as we set up to define a risk management model, that we revert back to unaided intuition of some sort or the other. Simply, we start out trying to do too much and then quit far too soon. So, we should start out not expecting to build a perfect, comprehensive risk model but merely to do better than unaided human intuition. With respect to trying to do too much, Hubbard says, "If you have 20 sources of error that you know about and 100 that you don't know about, and then you got rid of 10 of the ones that you knew about, you have less uncertainty than you had before." Not only should we settle for less than perfect, we should even settle for less than complete. We just need to beat intuition to get better!
Next, let's look at quitting far too soon. Most often, we fail to make progress with risk models because we don't feel we have enough data with which to build the model. But Hubbard disagrees, "You have more data than you think, and you need less data than you think, especially in IT." We need to focus on the data that we do have rather than perpetually focusing on the data that we don't have.
What's the second biggest problem with InfoSec Risk Models?
We think our models are working but they are not. Even without any sugar pills, we are stung by the placebo effect! "There is a real placebo effect that has been measured in control experiments for various phenomena. We can observe that an analysis behavior improves confidence even though it's actually making decisions and forecasts worse." Hubbard points out in a study that law enforcement officers trained in lie detector use felt more confident in their ability to detect lies when they actually did worse than people without any training. The placebo effect exists, make sure that your InfoSec Risk Models really are doing better and that you are not feeling better about doing worse! TOP
The Fastest Way to Reduce Risk: Collaborate and Share!
When William Lynn, Deputy Security of Defense, outlined DoD plans to bolster cyber defenses at the RSA Conference in February he said, "With the threats we face, working together is not only a national imperative, it's one of the great technical challenges of our time." While, I agree that cyber security collaboration is a national imperative and that it is one of the great challenges of our time, it clearly is not a technical challenge. It is a challenge of legal and economic dimensions. But despite the type of challenge, they are daunting and ominous, however not insurmountable. And, with the huge benefits that effective collaboration can bring, those challenges must be confronted and resolved.
What are the Benefits of Collaboration?
Better information leads to better decision making. Quick, free flowing information leads to faster decision making. Collaboration and information sharing build a better information base and, if done well, distributes that information fast. The quality and speed of decision making has a hyper effect on an organization's bottom line. There is a strong, compelling case to get better at collaboration and information sharing.
What is Stopping Effective Collaboration?
If the benefits are so great, what's holding everyone back? First and most importantly, there is a lack of trust between the parties that need to collaborate and share information. This mistrust is bi-directional, exists between the private and public sector and exists within the private sector itself (your competitor is probably your best collaborator but working with them is dangerous.) Laws and regulations discourage both the public and private sectors from full disclosure of information (admitting to a possible breach can have unintended consequences and be expensive for an organization). The old adage "any publicity is good publicity" does not apply to publicity around breaches or compromises of customer information. Here bad publicity is a plain old disaster.
How to Increase Collaboration?
Eric Bataller, Senior Security Consultant at Neohapsis, (Cyber Partnerships, Information Week, March 28, 2011) prescribes four steps to increase private-public collaboration: 1) Establish real-time events tracking across organizations and sectors of the economy; 2) Conduct intelligent activity analysis; 3) Identify and share the sources of abnormal and malicious traffic; 4) Establish an organization of vendors, businesses, and researchers that develops capabilities for dynamic defense and response. Sounds great, now if we could only get everyone to trust each other to make it happen.
The Internet Security Alliance (ISA) has initiated work focused on collaboration and information sharing of command and control ports and addresses related to malware and made some measured progress in this direction. The Financial Services Information Sharing and Analsyis Center (FS-ISAC) that facilitates information sharing in the financial services sector is operational and effective. The industry needs to first focus on information that can be shared that exposes the party sharing the information to little or absolutely no additional risk (like the ISA's project). Then, community-by-community broader collaboration and information must be addressed by doing the hard work of hammering out the right legal relationships to allow participants to harness the vast gains of increased collaboration without accepting unreasonable additional risk.
IP3 News & Upcoming Events
√ Pensacola State College and IP3 partner to deliver VoIP Security Training this Spring.
√ IP3delivering Cloud Security Program to ISACA next month.
√ CISSP® Live 5-Day Boot Camps
(Certified Information Systems Security Professional)
Flagler County, Emergency Operations Center May 16 - 20
Columbus State Community College June 13 - 17
University of Maryland Baltimore College June 20 - 24
Fresno County IT Services Department June 20 - 24
The iSchool @ Drexel University
Aug. 8 - 12
See full schedule and get more information here: MORE INFO | TOP
For more information contact: