Connecting the Dots
The New York Times ran an interesting story on January 5 about a House Republican inviting input from business on which regulations were impeding economic recovery. I am sure the House will get at least a few comments on this topic. Since I had just finished reading Professor Tim Wu's new book--The Master Switch--I had the distinct feeling I had seen this process before.
All security professionals operate in a highly regulated environment and more information security regulations can be expected in 2011. The Internet is a commons and needs regulation, but it is not clear if this should be government regulation, private industry self-regulation or a combination of both. Government regulation recently has seemed inept and unable to prevent either disastrous financial meltdowns or near disastrous oil spills.
Professor Wu's interesting book documents the interplay of industry and government control in the telecom and media business over the past 100 years. One theme of this book is the attempt by industry to control the regulatory process for the benefit of specific industry players. It is not a pretty picture nor an optimistic picture. The author does offer the idea that all of us need to be involved in the regulatory process at some level. Ultimately regulations or lack of regulations are just a reflection of the political trends of the times. Security professionals need to be heard in this process just as much as industry lobbyists. Professional group activities are one way to participate.
You might think there is no way you can have any influence. However, a friend recently forwarded me a success story about government regulation. This is the story, by another professor, Herbert Needleman, of the successful regulation and control of lead in the environment. While this took 30 years, the level of lead in the air decreased by 30X from the days of lead containing gasoline. Most interesting is the description of lead industry research purporting to show that rats with lead containing diets were healthier than rats with no lead!! The other interesting point in the lead story is the almost heroic work of a few people, who ultimately were proved right. One individual can make a big difference even in Washington.
It is easy to forget the information security risks associated with physical security. Sophisticated hacks are more interesting than plain theft of computers or paper records. In truth, electronic thefts often are responsible for the largest numbers of breached records. However, plain old physical theft or loss shows up all the time on breach statistic web sites. For example, searching the privacyrights.org breach database for 2010 shows that 47% of the 590 reported breaches were attributed to loss or theft of electronic or paper records.
Geographic Information Systems software (GIS) is making it easier to evaluate these risks. Sites like www.crimemapping.com provide a great visual representation of local crime statistics. Depending on the type of crimes reported, you may want to provide more physical security controls around your data (and personnel for that matter).
As an example, I looked at the crime statistics over a two month period from a major US city within a one mile radius downtown. The high incidence of theft and robbery might make this not a good location for a call center. A picture definitely communicates the risks better than any formal risk assessment!
A recent article on leadership in the Financial Times caught my attention: http://tinyurl.com/ftleadership. This article, "Soapbox: the myth of leadership" debunked today's emphasis on "leadership" versus plain vanilla "management" skills. Clearly many of today's financial leaders have led their organizations into ruin. While this has not happened in the information security world, organizations looking for senior security officers advertise for leaders not managers. One recent article on security leadership listed the following attributes for "Tomorrow's Security Leader": vision, competency, curiousity, enthusiam, etc.; generally soft skills.
I decided to return to Peter Drucker to see what I could learn. Fortunately, there is a Revised Edition of his classic Management (2008). Here are the five activities he associates with management and how I think they apply to the security officer role:
- Sets Objectives. This is the strategic planning function, where security goals aligned with business needs are defined.
- Organizes. Security is carried out by the entire organization, not one department, so this is a significant part of the role.
- Motivates and Communicates. This is where the soft skills are used to create results.
- Measurement. Business is about performance and security needs to be run as a business process with corresponding success metrics.
- Develop People. Build the security team's technical knowledge and management skills, preferably following the changes in the business.
As Drucker's book emphasizes, leadership accomplishes nothing without effective management skills. This applies equally to information security as well as any other business process.
The recent financial meltdown has led me to give some thought to information security risk management processes. After all, these originated in the financial community in the distant past. So where does this leave today's security practioner? Are risk management processes for IT security valid? Are we putting our businesses at higher risk for failures?
A recent article by Rene Stulz in the Harvard Business Review for March, 2009 identifies failures of financial risk management ("6 Ways Companies Mismanage Risk"). Here are his six items and how these ideas can be used to revisit risk management processes for IT security.
1. Relying on Historical Data. In the financial world, risk managers relied primarily on recent statistical data. Longer time perspectives might have given pause to risks being taken. In the IT world, the good news is that we don't have much data at all to use for statistical analysis. However, we are now at the 13th CSI Computer Crime and Security Survey; reported losses are down. Should we now relax and assume that technology has beaten the bad guys? I suggest that firms need to brainstorm on all possible security risks. Recent events would suggest that IT Risk Management needs to capture and document these low probability events, not just the "Top Ten" for which funding may be available. If funds are not available to mitigate low probability risks, at a minimum contingency plans need to be put into place.
2. Focusing on Narrow Measures. Business runs on metrics. However, metrics may not always capture the true risks. Although metrics are necessary for determining security effectiveness, it is too easy to rely on those. Are the metrics truly reflecting the external or internal risk environment? Since both of these may rapidly change with business conditions, we need the ability to implement measurement systems rapidly, with quarterly review of the applicability of the metrics.
3. Overlooking Knowable Risks. Risks can get ignored because they may be obscured in silos of the business. Although the IT Security function may report to the CIO, it is critical to make sure that all parts of the business are included in any information security risk assessment. Security risk assessments should be part of, or coordinated with enterprise risk assessment and functions.
4. Overlooking Concealed Risks. Business units may not report all information security gaps. It is the responsibility of the IT security function to set up relationships with all levels within each business unit, to make sure that risks are accurately reported.
5. Failing to Communicate. This issue concerns communication up, to the CEO, COO or security management committee. Even if accurate risk information is collected, it must be presented clearly to top management, in a way that makes sense to them. Otherwise, no action will be taken.
6. Not Managing in Real Time. Events can change faster than we can keep up. Mergers can take place; new business endeavours may start up. Risk assessments need to be revisited quarterly, and revised if necessary. A strategy of continuous improvement should be put into place, rather than a "big bang" risk assessment.
In summary, my critical take aways from this are:
- Importance of effective communications between IT security and all levels of the business
- Importance of continuous monitoring of risk
- Importance of thinking out of the box and addressing low probability events.
Hopefully we can all learn something from today's financial crisis in order to prevent a future information security event.