September 15, 2016
IT organizations are moving toward a risk-management approach to information security. But what does that mean, and how can infosec professionals actually implement such an approach? What does it mean to take a “risk-based” approach to security budgeting? Nemertes outlines our Business Risk Portfolio (BRP) approach to security and provides a succinct blueprint for implementing it.
The Issue: Information Security is Dead. Long Live Risk Management!
It’s no secret that cybersecurity has become a board-level concern. Now that CEOs are getting fired because of security breaches, security is front and center in the minds of most corporate board members. And none too soon—attacks are now more widespread, with greater impact, than ever before.
Most important, both technology and business leaders are experiencing a sea shift in their perspectives on information security. In past years, both security professionals and business leaders viewed it as primarily a technical discipline, a bit like plumbing: With the right skills and tools, leaks and breaches were entirely preventable.
But as recent high-profile breaches have demonstrated, even world-class tools and talent can’t protect any organization 100%. And in that scenario, the emphasis should be on risk reduction, rather than chasing the impossible goal of 100% protection.
In other words, the discipline of information security is more like protection from hurricanes than it is like plumbing. The architecture and foundation should be “built to code,” but that won’t stop the hurricane from hitting. Instead, a combination of solid architecture, appropriate processes, and the use of the right technology will enable the enterprise to rebound from the inevitable without unsupportable losses.
A recent set of recommendations by industry bodies, including the National Institute of Standards (NIST), reinforces this shift in perspective by recommending a risk-management approach to cybersecurity: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
And there’s early indication that information professionals are taking this seriously: Most participants (65%) in Nemertes’ 2014-2015 benchmark on information security report their organizations have a risk-management organization that’s external to the security team, and 100% of participants say funding for risk management is increasing.
What does it mean to take a “risk management” approach to information security?
The first place to start is with the definition: Risk management is a systematic process for identifying, evaluating, and addressing potential events that could affect the achievement of business objectives, positively or negatively. It’s important to be equally clear about the terms contained in that definition, specifically:
- Systematic process
- Identifying, evaluating, and addressing
- Affect the achievement of business objectives, positively or negatively.
It’s worth making the effort to drill down one level further into these definitions. In order:
The key point here is that an effective risk management-based process requires a methodical, systematic approach. Assessing risk, particularly in the area of information security, isn’t a “once-and-done” proposition. It’s an ongoing process that consistently sorts through events as they emerge.
Identifying, Evaluating, and Addressing
It may seem obvious, but it’s not enough to identify risks. IT and business leaders also must assess risks according to severity, and remediate them as appropriate. Exactly who should do the assessing and remediation is often a tricky question. In general, for information security, identification belongs to infosec professionals, assessment is a joint initiative between infosec and business stakeholders and remediation depends entirely on the strategy (for example, moving sensitive data to a geography where it’s more protected might be a decision outside the scope of information security).
One example of a systematic process for identifying, evaluating, and addressing risks is the NIST Cybersecurity Framework, released in February 2014. (Please see Figure 1). The NIST Cybersecurity Framework, therefore, represents one approach to this component of the process.
Additionally, the NIST Cybersecurity Framework further characterizes an organization’s maturity in cybersecurity risk management in terms of tiers, with Tier 1 (the lowest) having a partial process for these core functions, and Tier 4 (the highest) having a highly adaptive, responsive set of processes for each of these core functions. (These characterizations are detailed in the full NIST Cybersecurity specification).
Affect the Achievement of Business Objectives, Positively or Negatively
Affect the Achievement of Business Objectives, Positively or Negatively
An event qualifies as a “risk” if it affects the achievement of a business objective. For example, a disaster that takes down a data center may make it impossible to serve customers. Or a change in regulation may make a particular product line unprofitable.
That’s fairly self-evident. What’s not necessarily so obvious is that the impact can be either positive or negative. That seems counterintuitive: How can a “risk” affect a business objective positively?
To understand how, it helps to view all of business as a series of calculated risks. A startup risks the capital supplied by its investors. Developing a new product line, or advancing into a new geography, runs the risk of failure. And so on. The challenge for infosec professionals is to understand and clearly identify “risks” that are worth taking from a business standpoint.
For example, 71% of organizations benchmarked in Nemertes’ 2014-2015 Enterprise Security Benchmark indicated that security concerns slowed or stalled the deployment of new technology. Half of these organizations indicated the delay was longer than six weeks, and for a third of them, it was “indefinite.” The technologies most likely subject to delay were, unsurprisingly, cloud, mobility, and unified communications and collaboration.
Here’s the problem with that: If one company decides that, for instance, a mobile app poses too great a security risk, its competitor may opt to roll out the app and thereby gain a market advantage. The “positive impact” of taking that risk, in other words, becomes a market advantage.
The key point is that infosec risks can have positive impacts, and part of any effective risk management strategy is taking these risks intelligently.
The Business Risk Portfolio Approach
Effective risk management therefore boils down to identifying and understanding the risks and making an informed decision about how to respond to them. The best way to do that, in turn, is to balance the risks posed by information security against other risks the organization faces. In essence, this means maintaining
a balanced portfolio” of risks in which the benefits of assuming risk are balanced against the costs of remediating them. Nemertes terms this a “Business Risk Portfolio” (BRP) approach to risk management. (Please see Figure 2).
There are two key points that make a BRP approach different from the traditional cybersecurity approach. First is that it no longer includes for the possibility of eliminating all cybersecurity risk. As noted, in previous years, information security professionals took a “leaky plumbing” approach, viewing information security as a technical discipline that, if conducted correctly, could eliminate all risk 100%. We now know that this is impossible. Although great technology, people, and processes can reduce the risks to acceptable levels, the expectation that it can be entirely eradicated is itself flawed.
More importantly, a BRP approach views cybersecurity risk in the broader context of overall business risk. That is, the risk of not doing something for security reasons may be greater, in terms of business impact, than of simply doing it and assuming the risk. For instance, it is possible to reduce cybersecurity risk to zero—by eliminating the use of all digital technology. (It’s impossible to hack an abacus.) But such a “solution” is obviously unacceptable from a business perspective.
It’s not about eliminating all risk, in other words. It’s about taking risks that can be known, quantified, and addressed appropriately from a business standpoint.
As seen in Figure 2, a list of business risk might include risks that are economic, reputational, political, environmental, personnel-related, having to do with process/operations, etc. Note there’s no specific category for “cybersecurity” risks—because cybersecurity actually potentially affects all the other categories. For example, the economic impact of a hack might be a reduced ability to acquire capital, and so on.
The key point here is that business people tend to assess risks not by their technical characteristics (“a botnet army launched an assault against our Web servers…”) but by the business impact they create (“…thus rendering us incapable of conducting business in Europe.”) This means that computing the severity of a risk means comparing business outcomes: Is it worse to reduce operating capital by 10% to fund the expensive cybersecurity initiative, or to be unable to conduct business in Europe for 24 hours?
Taking this perspective has a profound impact on everything from organization and operations to budgeting and funding.
Building a Business Risk Portfolio
To put these concepts into place, infosec and risk management professionals should take a common approach that starts with identifying and documenting business objectives, identifying and locating risks that could prevent the attainment of those objectives, classifying and mapping the risks, and developing and agreeing upon a risk-mitigation strategy. The process should also include an iterative review of the portfolio, with revisions on an ongoing basis, as needed. (Please see Figure 3).
Document Business Objectives
The term “business objectives” refers to the high-level business strategy and supporting tactics of the business overall. Often, these can be couched in the form of a statement “Do X by doing Y.”
For example: “Consistently deliver innovative, category-defining products by investing intelligently in R&D and minimizing our lab-to-market time.”
Infosec and risk management professionals aren’t typically the individuals setting business objectives, of course—that’s the job function of the senior executives (CEO, president, and board). But it’s important that infosec and risk management and other professionals, clearly understand the business objectives–and more importantly, understand the implications of these objectives.
So, for instance, in the above example, if delivering innovative, category-defining products is an explicit strategy, some cybersecurity risks that might adversely affect these objectives could be:
- Theft or exposure to competitors of intellectual property
- Denial of service attack on R&D facilities
- Anything that might interfere with moving products from the lab to production (including hacking or damage to manufacturing facilities).
A big challenge for many organizations is that the stated business objectives aren’t the real ones. Particularly in organizations with damaged cultures, stated business objectives are often either overly broad (“become the best company in our space by being better than all the other ones”) or politically correct, playing to what board members want to hear versus actual goals.
For infosec and risk management professionals, it’s critical to zero in on the true objectives. This is where the process of documenting the business objectives comes in—infosec and risk management teams must craft expressions of the true business objectives that pass muster with the executive stakeholders. Often this process is iterative, and in the worst-case scenario it may require engaging consultants to handle the politics. It is, however, necessary—and infosec and risk management professionals skimp on this component at their peril.
Identifying risks is one of the least-formulaic components of the process. It’s essentially an extension of the example noted above: brainstorming around scenarios that could generate issues. It’s advisable for infosec and risk management teams not to conduct this in isolation, but rather in close collaboration with subject-matter experts in other areas, if they exist. These might be specialists in political risk assessment, reputational risk assessment, etc.
The biggest challenge in identifying risks is to know when the process is complete, or at least complete enough to proceed to the next step in the process. The more minds that are actively engaged on the process, the more likely this is to happen in a timely fashion. And revisiting the explicit and implicit assumptions behind the identification of these risks on a regular basis should be a key part of the process overall.
Classify and Map Risks
Entire degrees are granted in the statistics of risk-classification, and many organizations have a robust framework against which to classify risks. For infosec professionals lucky enough to work in those organizations, the best approach is to adopt the existing risk-classification framework.
For those who don’t, a simple but useful way to classify risks is to map them based on probability and severity. (Please see Figure 4). Probability is of course the likelihood of occurrence, and severity is the degree to which the risk would affect business operations, should it occur. The appropriate response (immediate remediation, later remediation, or toleration) to each risk (R1 through R6 in Figure 4) can be based on the combination of probability and severity.
In classifying risks, it’s important to recognize three points.
First, it’s critical to bound the risk by positioning it in time and space. The risk of an asteroid hitting the Earth is 100%, if you assume a long enough time horizon. But the risk of an asteroid landing in Sylacauga, Alabama in, say, November 1954 is vanishingly low (though one did, in fact, land there on that date, very much surprising the woman on whom it landed). So make your time and event horizons as crisp as possible.
Second, the probability and severity need not be mathematically precise. Although it’s obviously preferable to have hard data, an educated guess is better than nothing. And, in fact, Bayesean theory demonstrates that taking an educated guess as the starting point is actually considerably more effective than almost anything else.
Finally, it’s worth noting that it’s possible to compute certain risks based on others—and the outcome may be surprising. Take the case of a specific event that might occur via one of multiple different pathways. For example, a data center might be incapacitated via a DDOS attack, a power outage, malware, etc. Each pathway is independent, but the outcome is identical: the data center goes down. For sake of simplicity, assume there are five pathways, each with an identical probability of 20% of the event occurring. The (somewhat surprising) outcome is that the likelihood of the event occurring is actually 67%. (Please see Figure 5).
Statistics mavens will recognize this is a highly simplistic example (and makes assumptions that may not apply in real life, such as the complete independence of each pathway). However, it’s a useful way to sanity-check your assumptions when classifying risk.
The outcome of this effort should be a prioritization of risks, as noted. Risks that are both severe and high-probability should be addressed first, and those that are relatively benign and/or low probability, later or not at all.
Develop and Document Risk-Mitigation Strategies
It should be obvious that once infosec and risk management professionals have identified a risk, it must be addressed. However, “addressing” a risk can take multiple forms—a point that infosec professionals often forget. Technical remediation is one solution, such as upgrading flawed infrastructure, or moving to a more secure environment. But there are others, including:
- Obtaining insurance
- Revising business or technology processes
- Increasing end-user training
- Doing nothing (for low-impact events).
Some of these are steps that infosec and risk management professionals can take; in other cases, the remediation actions lie in the hands of others (for example, the finance team typically handles procuring insurance). The important thing to understand here is that the range of risk-reduction strategies is broad, and technical professionals, in particular, want to think outside the technology box when it comes to risk mitigation.
Review Risk Portfolio and Revise as Needed
A business risk portfolio isn’t static. Infosec professionals should plan to review the portfolio and revisit assumptions on a regular basis, both as a working group and with key business stakeholders. How often depends on the industry, the company culture, and the size, but ideally, the infosec team reviews and assesses the portfolio once per quarter. It’s also important to include business stakeholder signoff, particularly on the risk-classification and remediation strategies. If a risky event should occur, it’s critical that stakeholders have agreed ahead of time on the appropriate response.
Best Practices and Success Strategies
Moving toward a risk-management approach represents a significant shift in how infosec teams operate. Specifically, infosec becomes less siloed and more integrated into the rest of the organization (where “the organization” includes risk management and business units, as well as IT). Additionally, funding for infosec must change, as business and technology professionals alike view cybersecurity as less of a technical discipline and more of a business one.
Organizational and Operational Changes
Organizationally, one of the most critical shifts is that infosec professionals need to work more closely with teams outside of security, and indeed outside of IT. During the process of crafting the BRP, for instance, infosec professionals must be working closely with their counterparts in risk management, including subject-matter experts in political, reputational, economic, and other disciplines.
Other teams are, in turn, creating roles that relate directly to cybersecurity. These include:
- Cybersecurity counsel. This individual on the legal team is responsible for the legal aspects of cybersecurity, including compliance, liability, and the like. Typically this individual is a lawyer with solid technical chops, but little direct infosec expertise. (Note that in large organizations, the chief cybersecurity counsel may actually head up a team, but in most cases this is a single individual).
- Cybersecurity risk management. As noted, risk management teams are increasingly developing in-house subject-matter expertise of their own, typically by designating a risk manager specializing in cybersecurity.
- HR and/or communications infosec specialist. HR is taking a greater role in assessing infosec tactics, particularly when it comes to balancing the company’s requirements with employee rights to privacy. New technologies such as User Behavioral Analytics (UBA) can provide detailed insight into employee behavior and associated insider threats, and HR teams must be versed in both how to protect employees and how to engage managers when behavior may indicate a problem. Similarly, communications teams need to have a crisp policy for communicating infosec issues both internally and to the outside world.
- Third-party risk assessors. Procurement teams typically assess vendors and other third parties for “risk,” but this is often a one-time-only assessment focused on issues such as financial viability. As companies rely more and more heavily on outsourcers, cloud providers, and managed services to deliver capabilities, the risk assessment processes need to evolve, becoming dynamic (rather than static) and automated.
Infosec professionals should familiarize themselves with these roles, as they emerge, and put in place an effective process for engaging with these individuals. What, specifically, that process is depends in large part on the company’s organization, size, and geographic scope: For a small, geographically centralized company, informal coffee-and-donut sessions in the company lounge might be ideal. For larger, more dispersed organizations, a more formal engagement structure (with weekly or monthly videoconferences) may be necessary. The important point here is that infosec engage with these groups early and often as part of the shift to a risk-management strategy.
Budgeting and Funding
Infosec funding is the biggest—and for some individuals, most challenging—shift associated with the move towards a BRP approach to risk management. Until recently, technology leaders tried to calibrate the “right” level of infosec funding based on a percentage of IT budget. Fevered debates raged about what percentage was the “right” one: 1%? 5%? 10%?
One of the identified risks might be a DDOS attacks on the R&D facility. Suppose the company is on a major breakthrough in a wildly innovative new product, estimated to generate $40 million in new revenue in 4th quarter alone—if it gets out by the start of the that quarter in time for the holiday shopping season.
If it doesn’t make the quarter, revenue estimates drop dramatically because the buzz of the holiday shopping season is over, and competitors will have a competing product by next season. So optimal throughput at the R&D facility is crucial. A service to mitigate DDOS might hypothetically cost $1 million for the remainder of the quarter, and a backup network for the facility will cost another $2.3 million. Spending $3.3 million to protect anticipated revenue of $40 million makes economic sense.
Accounting teams have deep expertise in computing how much insurance a company requires for protection against various occurrences. What they struggle with when it comes to information security is understanding the nature of those occurrences, and their overall business impact.
As part of adopting a BRP approach to security, then, infosec professionals should take special care to detail risks and scenarios in terms their accounting teams can understand. Although the accountants are best qualified to affix the final dollar value to the risk-mitigation strategy, infosec teams should be prepared to provide clarity around the business impact, so accountants understand what they’re working with.
For some perspective, IT organizations spent an average of $412 per employee per year on security in 2014, with a range from a low of $105 to a high of $1,030. (Please see Figure 6.) Note that these figures do not necessarily reflect an optimal spend; in fact, they almost assuredly do not, given the high-profile breaches in 2014 among the highest-spending verticals (financial services and media companies). We believe that companies will need to brace to spend considerably more in 2015 and in years to come to achieve effective risk management.
Conclusion and Recommendations
IT organizations are increasingly moving to a risk-management perspective on information security. Doing so requires a fundamental restructuring of how organizations approach security, and touches not just the infosc group but also adjacent groups, including risk management, legal, HR, procurement, and accounting.
To set up a BRP approach to security, infosec professionals must be prepared to engage with all these stakeholders in a structured process. This includes taking a systematic approach to risk identification, classification, and remediation, and revisiting work on a regular basis. Moreover, infosec professionals should work with stakeholders to set budgets based on risk, rather than as a percentage of IT spend.
 In this document, the terms “information security” and “cybersecurity” are used interchangeably.
 This approach aligns to that specified by presidential Executive Order 13636, which states requires a Cybersecurity Framework that enables owners and operators to critical infrastructure identify, assess, and manage cyber risk.