I’m assuming the author wants us to read the title as “Things to Look Out For in Performing Risk Analysis” and not “Risk Management is Folly - Stop, Stop, Stop!” The former is fine, the latter isn’t supported by the evidence presented by the subjects of the article.
The subjects of the article are a good study from Wade Baker & Co. at Verizon, and a report from RSA’s Security for Business Innovation Council. Let’s take a look at each of these and examine why what they’re saying might contribute to poor risk management, shall we?

1.)  THE VERIZON REPORT

The Verizon report is an analysis of some 530 forensic investigations their company performed.  It is well worth your time as it’s chock full of interesting information.  As it relates to the Dark Reading piece, a coarse summary would be that “likelihood” is “different” for different people and so you can’t use the same “likelihood” across different industries.

Distilled through the lens of FAIR:

“different threat communities may be applicable based on Probability of Action factors which include: Value, Level of Effort and Risk (of Getting Caught).”

Or, even further distilled and in the words of my six year old son,

“Duh-uh”.

With regards to what I assume is the purpose of the article (What Doesn’t Work in Risk Analysis) this concept  seems just to rehash the old GIGO argument regarding risk analysis.  Great.  Can’t argue with that, nor it’s corollary QIQO (quality in, quality out).

But let me ask you -  is this really a problem common in your analysis?  Did reading this article make you go “Crap, we’ve been using data normalized across multiple industries in our analysis! They’re all wrong!”  Or have you already been accounting for the unique value proposition your company has to the specific threat community you’re worried about?  See, maybe I’m just not your average analyst, but even in my NIST/OCTAVE days, this has *never* been an issue for me.

Let me be specific, this is not a problem with Verizon’s very cool report.  It’s just that I don’t see what the big deal is.  This article is starting to feel like someone is running through the motions, trying to play the ” a crazy title gets people to read a boring article” game.

Speaking of cool reports - You know what would be cool?  I think it would be interesting to see is the quality of these companies’ “risk management process” established using good criteria,  and then correlated to the frequency and magnitude of real-world losses across the aggregate sample.  In other words, can we establish evidence that strong risk management practices not just reduce “risk” but also reduce actual incidents.

2.)  THE RSA COUNCIL “EXPLORES WHY LEGACY METHODS OF EVALUATING INFORMATION SECURITY RISK DON’T WORK IN TODAY’S CONNECTED WORLD, IN WHICH ANY NEW BUSINESS INNOVATION INHERENTLY CARRIES SOME LEVEL OF RISK TO INFORMATION.”

This report from the RSA council puts forth a seemingly obvious proposition, that risk must be balanced by reward.  Why is this news?  Now as I read the article it’s not clear if:

• The RSA Council is claiming that the CISO’s office should be the ones determining reward.  Absurd.

or

• Businesses aren’t doing a good job at determining risk and reward.

Let’s go with the latter.  So I’m pretty sure (good) businesses do a good job at estimating reward.  Businesses I’ve been a part of?  We LOVE(D) estimating reward.  We don’t tend to start projects all willy-nilly. No we tend to be careful to identify the size of the market and what it will cost to address the market.  So what could the problem be that this RSA council is trying to address?  Maybe it has to do with something like the following:

Yesterday, I got a demo of an IT-GRC application that shall remain nameless.  It seemed to be very good at the “C” bits - lots of information on regulations and expectations and even what sorts of controls would answer the regulations (which is goofy, but we’ll have to talk about that later).  It also gave you the ability to build workflow quite nicely.  But it measured NOTHING.  There really was no observable “G” and “R” was really Medium X Low X Low = High sorts of stuff.  So let’s use this relatively expensive tool as evidence of what your average CISO is armed with going into a Risk/Reward sort of meeting.  I imagine a nice board room with wood-grain paneling and glass bowls filled with little chocolate covered mints designed to give everyone involved in the meeting (CEO, CFO, CIO, CSO, VP S&M, etc…) a little sugar rush when needed and fresh breath.  The conversation goes a little something like this (apologies to Rich):

Business Guy Who Wants to Make Money Because That’s What Businesses Do: Based on market studies, we believe that initial gross revenues from the new product and technology rollout will be eleventy gazillion dollars based on a 37% market penetration in Scandinavia, alone.

CSO: Well now, we have a likelihood of “High” and a “C” impact of Medium, and an “I” impact of Low, and an “A” impact of “High” and because we are a (bank/hospital/retailer/basically any business that breathes anymore) we weight “C” by a factor of 2 - we multiplied those all together and got a “High”.

So can you guys delay the product rollout by 9 months and give me a bunch more money that’s not in the budget so that I can get this thing down to a “Medium”, please?

Again, I just don’t see the problem with Information Risk Management being that our businesses have no idea what the rewards of business might be.  Now maybe we need get a seat in that boardroom just to be able to talk about our “Mediums”, sure.  And maybe we’re infantile in our ability to describe our problem space.  But I cannot fathom that “Risk Management Doesn’t Work” because businesses haven’t been considering “reward”.

WHY RISK MANAGEMENT MAY  NOT BE WORKIN’ FOR YOU

Two meta-categories of causation:

• No skills

and/or

• No resources

Any ancillary “cause” can be mapped to one of these categories.  You could have significant resources but crappy models, and have conversations like our imaginary CSO, above.  You could have really good models and people trained and motivated to use them, but scarce time & money, so no conversation happens.

Now my question for you is - which does it make sense to acquire *first* to solve the “Why Risk Management Doesn’t Work” problems, skills or resources?

Before we get to security implications, we should start with a basic discussion of what virtualization does to the overall information infrastructure...]]> Thu, 11 Sep 2008 20:00:00 +0000 basic discussion virtual infrastructure solutions discussion guest blog post rsas collaboration virtualization process change regular basis security implications Security and Virtualization http://securityratty.com/article/9889880c87bd6f2858883a0c1c40e50b http://securityratty.com/article/9889880c87bd6f2858883a0c1c40e50b Click to Download/Listen (06:46)

Paul Davilman from RSA’s Compliance and Solutions team sits down with Amanda Van Veen to talk about the North American Electric Reliability Corporation (NERC) Cyber Security Standards and how these standards will impact IT security in the utility industries. Please note that due to the U.S. Labor Day holiday, we'll be back in two weeks (on September 8) with a new show.


]]> Sun, 24 Aug 2008 20:00:00 +0000 security cyber security standards standards labor day holiday solutions team sits utility industries amanda van rsas compliance paul davilman Speaking of Security Podcast #119 http://securityratty.com/article/4700871cd343af52160f1b05a1fb9f12 http://securityratty.com/article/4700871cd343af52160f1b05a1fb9f12 Click to Download/Listen (10:36)

A couple of weeks ago, Paul Joyal interviewed RSA’s Phil Marshall about Knowledge-based Authentication, or KBA. This week, we present a conversation on the same topic that Phil had with Tom Wills, Senior Analyst for Risk, Security & Fraud with Javelin Strategy and Research.


]]> Sun, 27 Jul 2008 20:00:00 +0000 phil rsas phil marshall senior analyst javelin strategy weeks ago tom wills paul joyal security research Speaking of Security Podcast #115 http://securityratty.com/article/7a312964a6676480c53cfb8c2143226f http://securityratty.com/article/7a312964a6676480c53cfb8c2143226f

Everybody who keeps an eye on the Information Leak Prevention (a.k.a. Data Loss Prevention a.k.a. Outbound Content Compliance a.k.a. Extrusion Prevention a.k.a. …you get the picture) space saw this acquisition coming for what seemed liked an eternity. Since last year, Forrester has been forecasting consolidation frenzy and McAfee (Onigma and SafeBoot), Websense (PortAuthority), RSA/EMC (Tablus), Trend Micro (Provilla), Raytheon (Oakley Networks), and others have delivered. Additionally, IBM/ISS recently announced strong partnership moves <http://www-03.ibm.com/press/us/en/pressrelease/22534.wss> and Cisco is weighing its options. Well, now this deal is out in the open – and this is good news. It is good news for at least 3 reasons:

(1) ILP awareness. It further propels insider threat problems (and the ILP market) into the consciousness of Security and Risk Management professionals. Customers simply cant afford to neglect the challenge of preventing data loss any longer – the IP stakes are getting higher, USB sticks, etc. make loss or theft easier, and regulators are turning up the heat.

(2) Competition and clarity. It will increase competition and will help to clarify the question of “What is ILP and what should it do?” This means that vendors offering “some ILP functionality” will either fall by the wayside or invest/acquire for full blown ILP functionality. The same applies to vendors not being able to capture ILP mind share and – more importantly – generate customer traction.

(3) Integration. When a potent security front runner marries an ILP leader with solid customer traction – customers must and can expect strong, integrated solutions that address their problems.

However, this is also where I see the main challenge for Symantec/Vontu – and for that matter for anybody acquiring or thinking about a more pronounced strategy for data-centric risk based security – SPEED. ILP is hot because customers need to address their insider challenges (or else gamble with their data security) – and they impatiently expect solutions that are accurate, easy to use, and integrated. So integrating ILP – and doing it fast – is what Symantec needs to do to capture the short term opportunities this acquisition holds. Long term, however, they need to at least match EMC/RSA’s security and information management strategy that goes beyond the threat side of the house. Plenty to do for Symantec – but I am confident they can lift this one.

PS: For more information on how Symantec/Vontu and other ILP vendors compare please tune into our ILP Wave Update which will become available in mid-Q1 2008.

Thomas Raschke

Created by the major payment card brands, the Payment Card Industry Data Security Standard (PCI DSS) is global in scope, and designed to ensure the security of consumer credit card data throughout the information lifecycle. Recently, an RSA survey asked businesses for opinions on issues related to PCI DSS including rates of compliance, perceptions of the standard, and motivations and challenges in meeting the PCI DSS requirements and we discuss the findings with RSA’s Dave Howell, PCI Solutions Marketing Manager, in this week’s podcast.