If there is one thing to be said for the frequency with which government and private organisations suffer embarrassing data breaches, it is that the public might by now be suffering from outrage fatigue.
In July 2009, yet another nail was hammered into the coffin of public confidence as banking giant HSBC was fined £3.2 million by the Financial Services Authority for failing to secure its systems and to prevent the loss of sensitive customer information.
The bank’s Actuaries business unit was fined for losing an unencrypted floppy disk containing the details of almost 2,000 pension scheme members in the post in April 2007, while in February 2008 HSBC Life UK lost an unencrypted CD containing the details of 180,000 policy holders.
In addition, the financial watchdog alleged that sensitive information was left on shelves in unlocked filing cabinets, and that staff “were not sufficiently trained to recognise risks”.
Following the FSA’s ruling, HSBC’s group managing director, Clive Bannister, apologised, saying it was clear that the bank had ‘fallen short’ and that since the incidents the organisation had implemented tighter controls and better training.
“We believe our customers can have confidence that we are doing everything we can to protect their privacy,” he said.
Businesses are today operating in an environment in which a simple lost envelope can hit the front pages of the national press, cripple professional reputations and directly impact share prices. No wonder they are finding traditional approaches to managing IT security wanting; no wonder they are looking for alternatives.
And no wonder many of them are turning to a risk management approach to better balance security investment with strategic imperative.
Risk management is nothing new, of course. Indeed, it is arguably inseparable from successful business practice, from a multinational banking giant that derives profit from risking customers’ deposits to a family-owned corner store that purchases stock in the hope that customers will buy it.
In industries as diverse as insurance, defence and aeronautics, risk management is innate. Now, with an increasingly large and complex stable of threats to information security, coupled with the need to prioritise falling budgets in the recession, advanced risk management practices are being adopted by CIOs discontent with a compliance-led boxticking approach to IT security.
The rise of risk
Headline-grabbing data security lapses of the past few years have caused information risk to resonate at board level. Typically, such incidents do appear on the organisation’s overall risk agenda, usually filed under ‘operational risk’ by the corporate risk manager.
However, this approach often fails to make a distinction between, for example, an overheating storage tower in the data centre causing data loss and a lost smart phone causing reputational damage.
IT clearly needs to be involved, and it usually is. A poll of security experts at a recent conference held by professional body ISC2 found that only 15% considered information security to be an ‘IT problem’, while 72% described it as ‘risk management’.
“Information security is going through a metamorphosis,” argues John Colley, former head of risk services at Barclays and former head of information security at RBS, who is now the managing director of ISC2.
During Colley’s time at RBS, the bank began rethinking its approach to information security after realising that the binary nature of its security policies – “Either you conform with it (tick), or you don’t (cross)” – was not fit for purpose.
“We started rewriting our system on a risk basis rather than a checklist basis, because real life isn’t like that,” he says. “We realised we had to modify our policies depending on the risk appetite of whatever part of the business we were dealing with,” he explains. “We were not really throwing away the rulebook so much as saying to people, ‘write your own rules’.
“But at the same time we had to introduce a process to document the risk decisions people made,” Colley adds. “If you say to the business, ‘We think this data needs encrypting,’ and they say, ‘We looked at it and we think the cost of encrypting is more than the risk involved,’ we would reply, ‘That’s fine, in this case that’s your decision.’”
The sudden surfeit of accountability promoted by the new approach did not make Colley popular.
“The people who most disliked it were the people who worked for me,” he says. “The reason was that they had to have much better judgment as opposed to just doing binary auditing. The consultants working for me needed a really good understanding of both the business and the information security risks, because they couldn’t hide behind policy. They actually had to put a case together, saying, ‘I looked at the risk, this is the information you’re protecting, these are the threats to it, and in our opinion these are the controls you should be putting around it.’ That’s a much more skilled and knowledgeable job than just saying, ‘Policy says you have to do this.’”
Introducing shades of grey into a very black and white compliance system, particularly at a major bank expected to have absolute confidence in its security, was always going to be politically difficult, even if the end result was a more efficient security spend. By its very definition, a risk approach allows a business to consider the implications of being semi- or even non-compliant, a concept terrifying to many people faced with an audit.
“What we’ve seen is an increase in the number of laws that businesses have to comply with, and in some cases it’s not going to be possible to comply with everything,” explains Peter Robertshaw, VP of global marketing for risk management software vendor Strategic Thought. “Compliance is a cost to business that does not add value,” he says.
“It’s important but ticking the box to make sure you comply doesn’t help you win more business, win opportunities or give you an enterprisewide view of things. You could comply with everything and still go out of business; in fact, if you do comply with everything you probably will go out of business because you spent all your time on that.”
In fact, risk management is ‘an outgrowth’ of compliance, suggests Chris Fedde, chief operating officer of SafeNet, a company whose encryption technology protects 80% of banking transactions globally.
“Compliance was about trying to build a fence around what is acceptable risk, but it’s not always a black and white answer,” he says. “As soon as there’s a trade off, it’s risk management.”
That, according to Robertshaw, demands that you prioritise “and look at the implications of not being compliant to find the real show-stoppers”. The result is hopefully a leaner, more efficient security operation; highly desirable, given that 150 IT executives surveyed by RSA in July reported ‘budgetary constraints’ as the greatest security challenge of the next 12 months.
“The danger in the current climate is that everyone goes risk mad and collects everything – a list of 10,000 risks is not a good thing, it’s a bad thing,” says Robertshaw. “It’s too much to wrap your head around – rather, you need a way to make sure the top 10 are the right 10.”
The rise of risk management in information security is characteristic of the current obligation on IT professionals to focus on business benefit more keenly than ever, and it is reshaping the role of the chief security officer.
“It’s putting the empowerment where it should be: with the business,” argues Colley.
“Our profession has always taken a very moralistic stand: ‘We know what’s best for the organisation, we’ll set the rules and make sure everyone complies, and we’ll score you against our standards.’
[With a risk approach], the role of the IT security professional is one of mentor and advocate.”
As chief information security officer of insurance market Lloyd’s of London, a business that fills its coffers by directly exploiting risk, Marcus Alldrick is arguably at the forefront of this shift. Describing himself as “more of a risk person”, he says that a risk management approach “gives you a far better conceptual view of where your risks are and helps the business to understand how much [security] plays a part in its operations”.
As a result, IT security is integrated into the overall risk management model at Lloyd’s and the IT department itself is treated as a custodian. “Ultimately, ownership of the data lies with the business,” Alldrick explains. “IT stores it, processes it and delivers it, but the information definitely belongs to the business and the business makes the decisions on risk management. We’re there to facilitate them and make sure that risk management is [conducted] in a cost-effective manner according to regulatory requirements.”
For instance, Lloyd’s considers addressing vulnerabilities a priority, as they are “with us here and now”. Meanwhile, the organisation is keeping a ‘watching brief’ on emerging mobile threats as they “are not impacting us at the moment but there is potential for it”.
“If you’ve got too little control you are more exposed than you want to be, while if you have too much control you’re paying through the nose because security doesn’t come cheap,” says Alldrick. “It’s all about achieving that balance, and providing assurance to senior management that that balance is in place.”
As the experience at Lloyd’s demonstrates, a risk management approach can help to develop a common language between business and IT around security. Where technology comes in is in allowing risk assessments to be shared and communicated without crumbling under the weight of their own complexity.
The most common approach to handling risk data is the Excel spreadsheet, often used across a department to collect risk scores, which are in turn distilled into a PowerPoint presentation for senior management.
The frailties of this method were highlighted during the recent project between the US and UK governments to develop the Joint Strike Fighter (JSF), says Robertshaw.
“The problem they found is that engineers love spreadsheets, and they kept trying to measure more things and add more and more columns,” he explains. “Ultimately, thousands of spreadsheets run by hundreds of people had to be condensed into one or two PowerPoint slides for the board, and there were people who spent several days a month analysing spreadsheets and putting them into PowerPoints.”
The JSF solved this problem by using Strategic Thought’s Active Risk Manager (ARM) product to distil the data and report it more efficiently while automatically escalating more significant risks.
In the case of the JSF, many of these involved the project’s hugely complicated supply chain: “There’s a lot of security and US rules about what different parties can see, and the risk has to be managed,” Robertshaw notes.
Risk management software such as ARM captures risks scores and then cycles them around the organisation for appraisal. “This is important because risks move out of departments and get scored and rescored as they move up through the organisation,” Robertshaw explains. “What might seem like a really important risk at a low level might be reduced because the corporate focus is different, or something rated relatively low, like an IT security issue or a staffing issue, at an enterprise level might be flagged as an emerging risk.”
Similarly, risk management software produced by Citicus uses a ‘harm reference table’ to define the risk of a certain system going down in relation to a predefined set of risks, explains the company’s managing director, Simon Oxley.
This avoids the problem whereby “everyone thinks their system is critical”, Oxley says, describing one global organisation that was told by a regional division that it had 1,000 critical systems.
On deployment of the reference table test they found the division had just 50 genuinely critical systems. Once they have been identified, says Oxley, risks can be analysed and mitigated with far more efficiency.
“Some might risk a loss of revenue, others might risk loss of reputation, for example,” he says. “One of our clients told us that they could use the harm reference table to measure the impact of anything, from Hurricane Katrina to the theft of a laptop.”
That’s the ultimate goal – the alignment of IT risks such as security alongside more mature risk methodologies like financial, project and environmental risk. This is a situation handy both for knocking down insurance premiums (Oxley reports customers getting 6% to 8% reductions in premiums after proving their understanding of risk to their insurer), and for giving the business greater insight into IT’s contribution and potential.
“Information security professionals are waking up to fact that they can’t be techies all the time,” says Colley. “They have to talk to the business in business terms, and it’s much easier for business people to understand when you’re talking their language. Rather than telling them that they need a firewall, antivirus or their data encrypted, tell them the impact if something goes wrong.”