SAGINAW – They still don’t get it. Sure, SOX has led to profound changes. Most boards have mandated risk management as an integral part of their corporate governance process. Yet, when we work with the IT security staffs in both the public and private sector, in both large and small enterprises, we continue to hear the old stall issue, “They don?t get it.”
Four years ago, while lecturing in Houston on the need for a more comprehensive approach to information assurance, a survey of the audience found that most of the guests felt their companies could not move forward because they lacked the budgets needed. Further, these budgets were the results of management?s analysis of the situation suggesting those with controls of the purse strings were not making sound business decisions.<./P>
Well, in the spirit of Houston, we inaugurated a program we called NO C LEFT BEHIND. If the ?C? level executives were not learning, we thought we should hold their educational system accountable. We?re talking about understanding cyber security here, so this is where you come in. You, the security professionals in the enterprise ARE the teachers. YOU have accountability to see that management does learn and does understand.
Our ongoing work with both vendors and practicing professionals in information assurance continue to suggest that management does increase spending on information assurance and cyber security after a major exploit occurs. When bad things make the headlines, people react. This suggests, with the right information about the seriousness of a threat, management takes action. This pattern implies that the actual occurrence of the event triggers awareness. Where was everybody before the event?
In 2001, Scientific American wrote about the devastating effects of a hurricane hitting New Orleans, and the 9/11 Commission Report did a reasonable job cataloging all we knew about the terrorist threat complete with considerations for use of airplanes. Certainly there were enough journalists and analysts suggesting things smelled in corporate reporting before the Enron debacle. Yet we stood on the sidelines, failed to allocate appropriate funding, and calamities struck.
One might ask why our decisions were so misguided? As an economist, I?d prefer to take a more positive analysis and assume that managers and decision makers made the optimal choices based on the information they possessed. Please note the optimization is based on the choices available. What choices were available to government agencies, to regulators, to investors or to corporate boards? What are the choices today with respect to global warming or a potential flu pandemic? These are all real threats and are all integral aspects of any organization?s risk management. In most enterprises these are all part of the new culture of risk management.
If in this new culture, executive management is seriously under-investing in cyber-security, the choice sets they confront must not be the same as what we, as security professionals, are considering.
Risk assessment is simply the comparison of the costs of safeguards with the loss which would occur without such defensive measures. The loss is an expected loss, a possibility we judge as a probability or likelihood. What are the chances this bad thing will happen, and if it does, how much damage will occur? I can tell you the probability of an earthquake hitting San Francisco and it?s actually quite high but risk management requires comparing this risk with the options you have. What can you do about it? Unless you have better connections than I do, it?s not likely that you can change the probability so our hands are tied. We can, however, reduce our exposure. We can move our data centers out of the region. We can better engineer our structures to withstand an earthquake when it does occur. The point is, the decisions are based on our choices.
While most security professionals approach senior management with the need to increase their awareness of the likelihood function, this argument is that they need to have a better understanding of the mitigation options. What we can do about Botnets is different than simply being told they?re getting bigger and bigger and bigger. Why they are a threat and their potential impact helps us estimate the expected loss, but risk management requires that we compare this loss with the cost of mitigation.
Too often, vendors and their IT clients try to sell management on the gravity of the situation without making a clear linkage to the solution sets. The choices are to spend money and disrupt operations with a defensive solution. These are real costs and they must have real direct benefits. If executives are not signing off on such proposals, there are three possible situations.
*First, they don?t believe the expected loss or impact. This might be due to a difference in their estimates of the event occurring, or they might think the impact of such an event would not be as serious as the IT team believes.
*Second, they might have a different estimate of the costs. Usually, IT security professionals grossly underestimate the costs of their defenses on operational efficiencies leading to faulty judgment by the security team ? not senior management.
*Finally, and all too often, the issue is that the decision is not being heard by those with clear accountability for risk management. Too often the decision remains constrained by a predetermined operating budget.
Each of these three possible ?failures to communicate? ? think Paul Newman here, require specific actions that can address the failure in our educational system and curriculum for teach up-stream, for teaching our executives.
A Curriculum for Management on Information Assurance and Cyber Security
We are developing a security awareness training program, but unlike those currently on the market, our goal is not to teach general awareness of the users, but rather to teach executive awareness and understanding.
The first course ? ?The Hood?, as we call it, addresses the environment where your enterprise operates. We try to draw a physical analogy to make the point. Would you place your offices in a neighborhood where 85% of the traffic is malicious, where pornography and extortion gangs are rampant, where anybody with a little cash is an easy target for scams, pick-pockets or muggings? In this neighborhood, if you leave something in the window overnight, you can be certain it will be gone by dawn. Well, welcome to the net, the hood where you?ve now placed your corporate offices. Forget about the green manicured lawns, the ponds and the geese around the enterprise HQ. That?s the physical world.
The second course ? ?Incoming? is our course on proper Incident Response and Event Reporting. Central to this discussion is an understanding of how little of the meaningful data we?re collecting is properly assembled and reported to those with executive risk management responsibilities. If somebody came to your front door and checked it to see if it was locked and then recorded this finding or actually entered to explore more, we would call the police. We would classify it as a security incident. If the same happens on the net, it becomes just another entry in an event log. If somebody sent a bomb in a letter to you, it would be reported. But, the hundreds of thousands of viruses, phishing attacks and simple spam we filter are only seen as events. We argue that these are security issues that go beyond events. Some standards for an incident require an economic damage but that?s not the point. Every senior manger should have a monthly summary of the serious viruses you?ve successfully blocked, the share of malicious mail you?ve stopped and a list of the critical security breaches which occurred. It?s these kinds of summary reports that are vital to help others un
