October 2nd, 2011
How should we practice information security risk management? Numerous methods, models and approaches abound, one of the foremost of which is the information security governance approach. This approach in essence says that to have a successful information security risk management effort, an information security manager must plan, strategize, organize, and establish and maintain relationships not only with executive-level management, but also with other closely-related functions such as audit and physical security as well as with key stakeholders.
One of the aspects about the information security governance approach that impresses me most is that it is so systematic. If an information security governance effort is planned and implemented correctly, there is a high likelihood that many details that might otherwise “fall through the cracks” will be covered. Most importantly, however, information security will be aligned with business and operational drivers.
As appealing as it is, the information security governance approach has its fair share of critics. Some claim that although this approach will produce some benefits, trying to implement information security governance in an organization that lacks enterprise governance is futile. Others point out that engaging in all the activities involved in designing and implementing information security governance is excessively costly and time-consuming. Some question the value of a top-down approach. One of the primary slogans of those who advocate a top-down approach is “tone at the top.” Accordingly, information security governance efforts are likely to be only as successful as the level of support from executive-level management, which is typically not pre-inclined to support information security governance efforts. Furthermore, critics point out that information security practices that are based on the information security governance approach move forward slowly–too slowly for today’s danger-filled world.
The last criticism of the information security governance approach is particularly salient when currently massive security breaches occur so quickly and regularly. Critics are quick to point out that adversaries are very quick and adept in designing new attacks and then carrying them out in a manner that altogether escapes the attention of or at best surprises the information security community. According to this line of reasoning, the information security governance approach is too top-heavy and too slow to allow practitioners to keep up with the fast and furious rate of change in an arena characterized by constantly emerging threats, vulnerabilities and risks.
I would not like to be on record as siding with the critics of the information security governance approach, yet at the same time I feel that they are making a very valid point. Agility and resilience are terms that are missing from the information security governance approach. This approach advocates starting with an information security strategy, then developing one or more action plan(s), then creating an information security policy and standards. A risk analysis based on asset valuation, vulnerability analysis, and threat analysis must be performed, followed by controls evaluation, selection, implementation and testing. This is all fine and dandy, but performing all these activities that are part of this approach requires a cyclic approach, and the length of cycles we are talking about here are not short. For example, most organizations do not perform a risk analysis more often than once a year. Yet threats, vulnerabilities and risks keep changing. So what we need is more agility. We need to adopt a strategic approach such as the information security governance approach, yet allow for frequent “interrupts” that temporarily take the “big wheel in motion” offline to address suddenly emerging threats, vulnerabilities and risk. In effect, information security practices need to more closely emulate incident response efforts that can quickly and efficiently detect, provide triage and mitigate incident security breaches. Being systematic must not squelch agility.
–Gene Schultz, Ph.D., CISSP, CISM, GSLC
– – – – – – – – – – – – – – – – –
Dr. Eugene Schultz is the CTO at Emagined Security, an information security consulting practice based in San Carlos, California. He is the author/co-author of five books, and has also written over 120 published papers. Gene has been the editor-in-chief of two journals and is currently on the editorial board of three journals. He is also a SANS instructor, member of the SANS NewsBites editorial board, co-author of the 2005 and 2006 CISM preparation materials, and is on the technical advisory board of three companies. Gene has previously managed an information security practice as well as a national incident response team. He has also been professor of computer science at several universities and is retired from the University of California. He has received the NASA Technical Excellence Award, the Department of Energy Excellence Award, the ISACA John Kuyers Best Speaker/Best Conference Contributor Award, the Vanguard Conference Top Gun Award (for best presenter) twice, the Vanguard Chairman’s Award, and the National Information Systems Security Conference Best Paper Award. A Distinguished Fellow of the Information Systems Security Association (ISSA), Gene has also been named to the ISSA Hall of Fame and has received ISSA’s Professional Achievement and Honor Roll Awards. He is currently a member of the accreditation board of the Institute of Information Security Professionals (IISP). Dr. Schultz has provided expert testimony before committees within the U.S. Senate and House of Representatives on various security-related issues, and has served as an expert witness in legal cases.