The Security in Risk and the Insecurity in Security: What’s a CISO To Do?
by Chris Sullivan
Almost every company today is laboring under the material misconception that the role of “Information Security” is actually to secure the enterprise when, in fact, security (to free from danger or risk of loss) is an undesirable business goal.
This is why there is so much friction between business managers, who take risks to maximize shareholder value, and CISOs (that’s Chief Information Security Officers) with their security directors, security analysts and security administrators trying to eliminate risk all together.
As it happens, the smart CISOs (and almost every CISO I know is smart) have figured out that they can’t actually secure anything in today’s mobile, always-on and increasingly cloud-based environment. They can’t secure the flow of information without completely stopping it – which is obviously untenable. They have been set up to fail.
So what’s a CISO to do? The first thing that’s needed is a different approach – the goal is not to lock down the business, but to let it run as freely as possible without failing. The goal is not to eliminate incidents, but rather reduce them to an acceptable level and balance that precisely with the opportunity cost of doing so.
The traditional notion of security doesn’t fit into this model. The open enterprise can’t develop if information doesn’t flow freely between companies and stakeholders, so security can’t be defined as keeping data under lock and key. Even if you could lock everything, that would not protect against the people who are already inside, where most data theft and misuse originates.
Information risk management is not the practice of reviewing access levels every six to18 months to meet some regulatory requirement. It is the real time practice of identifying threats to critical information assets, prioritizing them according to severity, and then remediating them appropriately. This model acknowledges that data must flow freely for business to happen at an ever-faster pace and at a reasonable cost. There is still security work to be done in an information risk management model but that work is orchestrated through risk-enabled management processes, so that it’s focused and effective rather than reactive.
Building data relationships All of the information that’s required already exists. IT already has account information and entitlements and HR information and sensitive data (Data Loss Prevention or DLP) and activity (Security Event and Incident Management or SEIM). What’s required to fill the remaining gap is the ability to collect, organize and synthesize this information into a form that is useful as a decision support system focused on managing risk.
First, you must collect the information – this turns out to be a fair bit of data, but it’s simple to handle.
Second, you must apply a disciplined and repeatable approach to thinking about this information and the way it interrelates. This is something that organizations already know how to do – for example, you know that an account is risky if it has a high level of access to assets with sensitive information. A person is more risky if he or she has a lot of high risk accounts and an application is more risky if it contains critical information and many people have a high level of access. Companies already know how to do this, they just need to capture that domain expertise and apply it to a large set of data every minute of every day. This requires automation.
The foundation for this is a central store for access information. Access risk data comes from hundreds of applications, thousands of people and tens of thousands of accounts and associated entitlements, all of which are changing all of the time. That is a lot of information to collect in one place and the traditional relational databases and report writers are not up for that job when risk managers needs answers in seconds rather than months.
This big data will require not just a warehouse but a real cube that’s optimized for answering questions that no one had predicted would be asked.
Finally, you will need a rich way to interact with all of that new information so that you can make intelligent decisions quickly.
Taken together, your staff can interact with your data that’s been synthesized into information and knowledge using your own expertise – that’s identity intelligence.
The process is somewhat akin to mining for gold. It’s not easy but can be made efficient with automation and extracting that one ounce of shiny metal from a ton of ore can be very rewarding.
It’s hard, but not really hard…and it’s vital to your survival Banks recognized decades ago they are no longer custodians of coins in a vault, they are custodians of information and the risks associated with that mean everything to their business; retail brands no longer manufacture, distribute or sell their products, they just manage information about their customers, products, supply chains, and brands. Even contract manufactures know that if they compromise their customers’ intellectual property, then they may experience an extinction event.
This is not easy, but it is doable and absolutely necessary. The good news is that the approach described here has been proven time and time again. Take a bunch of information that is already lying around by dint of just doing business, organize it, use domain expertise to synthesize it and create new information – and make access to the large cache of knowledge readily available through a rich visual interface. This is business intelligence and it’s been done before in the financial industry, in the baseball industry with Sabermetrics (read Money Ball), in the healthcare industry with Healthcare Informatics, in the energy industry with Energy Informatics. And it is happening right now in the not-so-aptly-named Information Security Industry.
Chris Sullivan is vice president of product planning at Courion Corporation (Westborough, MA).