Implementing security in Information Technology is not about locking down and protecting a system. After all, the best way to secure a computer is to power it down, unplug it, remove all storage devices, and lock them in a vault. The second you power that computer on, even in an air gapped faraday cage, you begin to assume some level of risk. The trick to security is knowing your risk and mitigating any unwanted risk.
Risk is what we are trying to understand and mitigate against in a cyber security program. If we are not calculating risk within the organization and using the same formula or even definitions within an organization, we will be approaching security from completely different understandings.
With risk analysis, we need to identify the threat and understand what vulnerability that threat would be compromising. Then we need to understand the impact that would have to the overall business function and the likelihood of it occurring. Once we have those variables understood, we can have a healthy conversation of what levels of security in which we should be investing.
Cost Effective Risk Mitigation
Risk. Loss. Impact. Likelihood of threat. These are all important, and at times, overlooked in a security program. We need to make sure we are applying the right level and budget into a security program to help the business while not hurting the business.
Imagine if you inherited a bag of gold doubloons valued at $500,000. This would be an extremely valuable and a prized possession. Naturally, you would want a secure place to protect your bag of gold. In your search for a vault to store the gold in, you come across a extremely advanced, high tech vault with a small army standing by to react to any alarm. This, this is the solution, and it is only $5 million.
We cannot be spending more in security than the value of the asset and this is what we need to do in Information Security. Your local, family-owned pizzeria does not need to invest in a next-gen firewall and a robust security information event monitoring solution.
This is where we start looking into cost effective solutions to mitigate the risk. Some of these solutions require some creativity, out-sourcing, and perhaps elbow grease to implement.
As we start maturing our organization and analyze risk from the threats that are circling around us, we are going to come to a situation in which it does not make sense to mitigate. In these cases, it is important to know that there is an option to assume or accept the risk.
When reviewing a security framework or a best practice, perhaps we will come across a security control that does not make sense to implement. Perhaps you are a medium-sized organization with 200 employees, you likely do not need to hire 6 individuals to build out a 24/7/365 security operations center.
Risk acceptance is another important component to a security program. There are elements that should be included when assuming risk. First, make sure the right person is assuming the risk. The junior systems engineer should not be making the assumption to continue to have the organization run on Windows XP desktops. Ensure the acceptance is documented and reviewed on a routine basis or after an event that affects the risk that was assumed. Also, when possible, implement any possible mitigating controls to limit the risk to the organization.
As your organization centers its security program around risk acceptance/risk mitigation, the program will go from holding the organization back to helping it thrive.