THANK YOU FOR SUBSCRIBING
Over the last 15 years I have worked in security and been fortunate to be able to learn from and collaborate with many security professionals. One thing that we all agree on is the broad and ever-changing threat landscape we constantly contend with, and the security related risks such threats bring with them. However, one aspect that divides the community is how security risk should be viewed through a business lens.
When I started out in security, I remember meticulously identifying security controls, testing their effectiveness and recommending additional controls where gaps appeared to exist. I remember battling with teams to prioritise making modifications to improve controls that would reduce the likelihood of a security risk eventuating. I would constantly be frustrated that security was, or appeared to be, treated as a lower priority. I mean security is the most important thing…isn’t it?
Today, with a better understanding of risk and its place within an organisation, I have come to appreciate that for some businesses, the loss of availability of their systems and applications, or access to data by an unauthorised entity may not have the devastating impact I once thought. The realisation I have reached, was that there is no type of risk that is more important than any other. Instead, it is the level of the risk, and its relative impacts to the business that is key.
Having come to this realisation, it became clear to me, that as security professionals our foremost obligation is to unemotionally present risk in business terms, and to consider controls and control strengths in that context.
What I have learned
- Security risk is just another business risk with business consequences
- The size/impact of a risk is evaluated in the context of overall business strategy and objectives (think risk tolerance and risk appetite)
- I know security and the business leaders know the business
To do this successfully, it is critical that security professionals make a concerted effort to understand the business context, the overall nature and strategy of the business, and how security ties into that. Only armed with this knowledge, does it become possible to see that the remediation of a critical vulnerability may not be the top priority. For example, the vulnerability may not represent a high risk, or the cost to remediate it may outweigh the effective cost of impact. Although this may be difficult, ultimately this is what we must understand, and therefore accept as security professionals when fulfilling our obligation to inform the business appropriately.
A good example of the role of context is when a vulnerability such as POODLE (or one with an even higher criticality rating) comes along enabling a Man in the Middle(MITM) attack. At Cubic Transportation Systems we manage systems with volumes of sensitive data (personal information, credit card data), as well as systems with publicly available data (bus routes and schedules). As such the context-based risk and thus priority around remediation differs based on the respective impact of unauthorised access to the data through a MITM attack.
In the end it is about driving successful outcomes for the business and as security professionals our obligation is to be enablers for this success. Naturally we must help the business understand when to exercise caution and equally when there is less need to. Ultimately risk management is a partnership whereby the business understands the risk consequences and the security professional the likelihood determined by threat, implemented controls and controls strength. Achieving this balance will result in better outcomes for the business and a lot less frustration!