|
|
02-27-2010
Registered User
26,240,
27
Protect or exploit?
The perennial discussion about the value of risk analysis has broken out yet again over on CISSPforum. It's close to being classed as one of our zombie topics - the ones that we think we've successfully killed off after getting nowhere but some time later they arise from the grave to haunt us again, over and over. I wouldn't mind so much but we seem to dance around the same old handbags every time:
This afternoon, I'm contemplating a different argument, the contrast between what general business and financial managers think of "risk" versus what it means to CISSPs. For management, risk is something to be embraced and exploited, where appropriate, because risk brings opportunity. For CISSPs, risk is something to be avoided, controlled/mitigated or transferred because it is BAD. We're worlds apart.
So, how about we turn our argument on its head: instead of asking "How can we best minimize information security risk X?", ask "How much information security risk X can the organization stand before it becomes intolerable?" or, for kicks, "How lucky do you feel?". I find this kind of approach quite liberating, in a funny sort of way, a bit like extreme sports. Extreme CISSPs deliberately take chances and enjoy the thrill that entails. I'm not talking about being totally reckless - we're still CISSPs at heart, so we understand the value of contingency measures - but knowingly pushing the boundaries where appropriate, in the full knowledge that some of our risk-taking will fail (just as it will even if we are ultra-conservative!). The key to success, as in extreme sports, is to know when to stop the game, but the difference with this approach compared to the usual risk-averse-verging-on-paranoid traditional play is that we are not automatically saying "No!" to everything, so if and when we do actually say "No!", it inevitably has more impact.
Taking this a step further, it is fascinating to discuss such an approach with management, particularly as they have more at stake being the information asset owners, accountable for their protection and exploitation. It may be counterintuitive, but I suspect a CISO who asks "How much information security can we do without?" stands just as good a chance of getting the funding she needs for critical projects as her more traditional peers - but with a very definite additional advantage, namely the genuine management support that we stick-in-the-muds so often lack.
More...
- Quantitative versus qualitative risk analysis - the pros and cons of each, and innumerable associated methods, tools and techniques
- Risk-based versus experience and good practice-based security investment decisions
- Risk- or experience-based versus compliance-based decisions
- All of the above versus risk-based standards such as ISO27k
- The futility of any form of information security risk analysis if management can undermine any argument versus the need for us to be "risk-focused", for various reasons expressed with varying degrees of hand-waving
So, how about we turn our argument on its head: instead of asking "How can we best minimize information security risk X?", ask "How much information security risk X can the organization stand before it becomes intolerable?" or, for kicks, "How lucky do you feel?". I find this kind of approach quite liberating, in a funny sort of way, a bit like extreme sports. Extreme CISSPs deliberately take chances and enjoy the thrill that entails. I'm not talking about being totally reckless - we're still CISSPs at heart, so we understand the value of contingency measures - but knowingly pushing the boundaries where appropriate, in the full knowledge that some of our risk-taking will fail (just as it will even if we are ultra-conservative!). The key to success, as in extreme sports, is to know when to stop the game, but the difference with this approach compared to the usual risk-averse-verging-on-paranoid traditional play is that we are not automatically saying "No!" to everything, so if and when we do actually say "No!", it inevitably has more impact.
Taking this a step further, it is fascinating to discuss such an approach with management, particularly as they have more at stake being the information asset owners, accountable for their protection and exploitation. It may be counterintuitive, but I suspect a CISO who asks "How much information security can we do without?" stands just as good a chance of getting the funding she needs for critical projects as her more traditional peers - but with a very definite additional advantage, namely the genuine management support that we stick-in-the-muds so often lack.
More...