Risking It All

"Forget the old fortress mentality," advises Barry Beal, head of global IT security at Capgemini. "A new approach to risk management is needed." Information security officers no longer have the luxury of being able to worry solely about perimeter protection.

Some of the greatest risks to an organisation involve incidents that happen internally, and deep down at the application and data levels. A raft of internal controls, checks and balances are needed to manage these vulnerabilities, from the boardroom right down to the operational level. New hardware, new software and new risk management procedures all have their part to play.

Beal argues that businesses are starting to understand corporate risk in the context of their strategy and corporate governance. "Most people now get it, that it is no longer feasible to think of security and risk mitigation as a tactical issue. The regulatory framework has driven that message home hard. But we are at a tipping point in terms of technology and operations. IT is in a catch-up phase. There is still an over-reliance on point security solutions and that all has to change."

Decisions about an organisation's approach to risk need to be taken at executive level because they are inextricably bound up with the way in which a company chooses to present itself to the world in terms of its risk posture. In the context of information systems, there is a need to strike a balance between security costs and risk mitigation benefits, and the advantages of free information flows against the potential damage of uncontrolled access.

There is also the ever-present tension between security and internal productivity. The more security that is applied, the more difficult it is likely to be for people to get their work done. "Risk management is all about applying appropriate not absolute security," says John Meakin, group head of information security at Standard Chartered Bank, acknowledging that enterprise security measures need to be finely balanced against risk and cost.

Bespoke security

It is this full appreciation of risk that is behind Standard Chartered Bank's commitment to develop a dynamic approach to information security and corporate governance. "The aim is to implement security to a level that is appropriate to the level of risk," says Meakin. "Defining a mandatory set of controls is OK. But in a business of any size, the way that IT is disposed to risk will vary from department to department. A one-size-fits-all approach will lead either to overspending on inappropriate security controls, or vulnerabilities where there should not be any. Just enough security is the aim."

Every security control has an associated cost, and there must be a business reason for it to be implemented. "The security measure we choose to implement will be dictated by the risk model. And the level of acceptable risk will determine where and how we make security investments," says Meakin. To establish the level of acceptable risk, Meakin looks to capture the two core measures of threats and vulnerabilities, weighted against the all-important metric of value. This he bases on a business impact analysis for all key systems and applications.

Risk can be mitigated or even neutralised by insurance, provision of fallback systems, and back-up procedures. The provision of fallback systems might well be the most expensive of these measures, but any risk mitigation activity will need be to cost-effective. The trick is to identify risk exposure areas and then to address risk by prioritising actions, acknowledging that some areas of security deserve less scrutiny than others.

Meta Group suggests that this is particularly justifiable in the context of compliance, as it reflects a means to make practical the broad mandates of emerging regulations, many of which lack the fine detail that IT practitioners need to steer their compliance moves. For example, US legislation such as the Sarbanes-Oxley act, which is making many Global 2000 businesses very nervous, has already come under fire for its vagueness.

There are real and genuine concerns among CIOs that the full ramifications of emerging legislation are unfolding too slowly, or that the goalposts are being moved. The outcome of a recent survey from the Economist Intelligence Unit revealed that among financial services executives the regulators stand accused of introducing poorly-defined compliance rules. A good many CIOs complain that it is difficult to find out exactly what compliance fully entails. John Carrow, CIO at Unisys, agrees: "It is for that very reason that we have adopted COBIT as a risk framework to work against. It provides us with some guideposts."

The Control Objectives for IT (COBIT) toolset offers a systematic approach towards IT risk management that can be used to assess, manage and communicate IT risk. It is said to help with decision making about project priorities and is seen as a very effective tool to generate management awareness, present IT control diagnostics, and ensure that various lines of business are absolutely clear on corporate accountability and residual risk.

Security vendors, meanwhile, are making life a little easier by adding features to their products to address specific regulatory acts such as Sarbanes-Oxley. Consul, for example, has added a Sarbanes-Oxley compliance module to its Insight Security Manager, which provides templates, dashboards and reports that are tailored to the Act. The Consul InSight product monitors activity on operating systems, firewalls, intrusion detection systems, applications and databases to create an operational security policy for each, based on built-in and customised regulatory templates.

Doug Busch, Intel CIO, maintains that the current focus on compliance and increased audit requirements makes for a good opportunity for continuous improvement of all enterprise security and risk mitigation processes. He also reasons that there is a need to build an internal structure that lends itself to cost-effective risk assessment. "Classic ROI measures simply don't apply," says Busch.

"Security spending is discretionary," he continues. "There is a need to balance what I like to call the risk-cost trade-off. I first like to concentrate efforts on good operations practices, asset control and systems management, and the like. For instance, we have systemised our patch management operations in the last few years, and we now have a very structured patch regime. I then think there is a need to look closely at each and every enterprise vulnerability, on a case-by-case basis. How likely is it that each one will be exploited? What impact will it have on the business if a specific vulnerability is exploited? Then, I can start to prioritise the steps we need to make to mitigate risk."

Risk prioritisation

There are plenty of commercial tools available that aid risk mitigation prioritisation. Skybox Security's Exposure Risk Management system helps by identifying the risks that matter. It uses modelling to assess the business impacts of security threats before recommending priority fixes and remedies. Skybox contends that only 1% to 2% of the vulnerabilities generated from conventional scanners are critical business risks, and that the only way to detect critical vulnerabilities is through attack simulation. Its system constructs a network map of physical and logical entities and takes risk input statements, various dependency and firewall rules to build an attack model that can be run every day.

Skybox's VP for EMEA, Avi Corfas, claims the software addresses one of the main difficulties of risk management. "There is a real need to apply security resources where they are most needed. Security scanners generate too much data. Risk reports produced by vulnerability assessment tools are not actionable because they provide so much data that it can be difficult to know where to start," he says.

The system is intended to build on existing deployments of vulnerability assessment tools from companies such as Qualys or Internet Security Systems, and could use inputs of risk management tools such as Citicus One, which automatically collates risk data from all types of corporate information systems, business applications, ecommerce platforms and communications networks before quantifying the extent of risk. Primed with these necessary feeds, the Skybox system will produce daily work orders or trouble tickets, using a built-in dictionary to recommend a remedy for those vulnerabilities diagnosed as priorities.

Similarly, ArcSight's security event management software has been fitted with features that provide a clearer picture of security status. The ArcSight software, which draws security event data from other devices, correlates and analyses it, and then reports to security administrators on the risk status of ports and packets. But it will also create CEO-friendly reports about, for example, how their Sarbanes-Oxley compliance might be exposed by hackers. Being able to connect changes in status of low-level security events to a shift in the overall risk profile of an organisation is considered an imperative.

Enterprise risk map

Risk management is being perceived at companies like Standard Chartered as the construction of a complete risk map of all enterprise applications, across all platforms, which can be continually updated. The thinking is that such a view would provide a much-needed focus for applications and operations staff and security administrators. "In a way it becomes an extension to risk-driven monitoring processes. Take patch management, for example," says Meakin, "it is an almost unmanageable task across an enterprise of any size and there is a real need to reduce the task to that which is absolutely must-do, to protect those assets that have the most value or those that would impact most on the business."

To assess the risk profiles of existing systems the bank is piloting the use of the Citicus product to monitor fluxes in the status of security controls. Meanwhile, a company like Trinity Security Services will tailor risk management best practices for Global 2000 businesses using accepted risk management principles as a starting point. This includes gathering information on various network components, servers and data assets, measuring their business value, assessing vulnerabilities and producing measures of risks. After building a systems inventory, a vulnerability and threat assessment helps to determine the probability of someone attacking any of those weaknesses. The output of this would be a list of vulnerabilities starting with those host and network-level exploits that would have most impact on the business.

At a recent think-tank of FSTE 250 risk managers, the company developed a high-level risk assessment method that would be suited to profiling the 'early lifecycle risk' of new IT systems or projects. The outcome was a risk template that could be used by project managers and supported by an organisation's information security team. According to one participant from the UK supermarket chain Tesco: "The template is very, very useful."

The retailer uses FIRM (the Fundamental Information Risk Management method developed by a 250-strong independent consortium of corporations that make up the Information Security Forum) for 'late lifecycle risk' support, but sees a complete lack of any usable risk assessment process for initiating a project. "It is easy to apply risk best practice for existing business processes and projects, but it is not so easy to get any appreciation of risk into a project from scratch with security built-in to the appropriate standard," says Tesco.

Development of the template minimises the skills required to complete an early lifecycle risk assessment, which to date has been a time consuming, resource intensive and an expensive process that requires a high degree of expertise. It also is a very simple and effective way to increase the use of risk assessment within new IT projects. Main threats and vulnerabilities are mapped according to the likely perceived financial loss, damage to reputation or failure to comply with legal and regulatory requirements. A matrix of risk levels is built up so that the controls, or countermeasures that protect against each identified threat can be agreed.

Lack of a proven process is still seen as a problem in risk management. A couple of years ago Capgemini surveyed 270 European and US corporations to develop a security indexing service that aimed to establish a process that would frame risk management and IT security policies in a commercial setting. The resultant Adaptive Security Index (ASI) service has since been positioned as an essential first to ensure the correct balance between risk, security, expenditure and return on investment.

ASI promotes the use of risk management techniques to gauge the level of risk associated with aspects such as the loss of image through web defacement, loss of income through downtime or denial of service attack, or the loss of credibility through the theft or misuse of confidential customer data. It also targets an appreciation of security governance and use of an appropriate and relevant level of security management.

Continual assessment

"ASI gave us a set of benchmarking data and a security model to use in consulting engagements, but it also gave us a view of the changing nature of risk," says Capgemini's Beal. "We see four key factors that risk management programs must now respond to. There is the whole area of mobile access to core information assets, the rising sophistication and severity of online threats, the new far more rigorous regulatory requirements and the prevailing acceptance and adoption of e-trading and online collaboration. They will all impact on risk."

CBR Opinion

Approaches to risk need to be planned and managed much in the same way that Six Sigma and Total Quality Management revolutionised quality assurance. Proven methods and new software support should help enterprises to align their security systems with business objectives using a road map of recommended best practice risk techniques.