This post is inspired by a talk that I saw recently by Dr. Eric Cole from the SANS Institute. In that talk Eric discussed the method that companies use to divide up and invest their resources into security. It seems that quite frequently these investments are made blindly by executives that don’t have an understanding of risk management and the importance of data driven resource allocation. In this post I’m going to show you exactly why 90% of organisations are quite literally throwing away their resources.
What is the risk?
We’re constantly facing risk. Whether these risks are financial, operational, compliance based or even strategic there’s never been a tougher time to do business. Throwing the risk from cyber into this mix doesn’t make things any easier. Risk roughly translates to the probability for loss. When we recognise that our business faces a particular risk we usually take steps to attempt to mitigate that risk – and cyber is no exception.
Risk in cyber can be broadly arranged into two categories, both threats and vulnerabilities, and we can define threats as the potential to cause harm. So let’s ask ourselves two things:
1) Who are our adversaries?
2) What are our adversaries capable of doing?
Adversaries may be business competitors, political hacktivists, opportunists, financially motivated cyber criminals, nation states and even our own (perhaps disgruntled) employees.
Once we consider the depth of their capabilities – we then have to focus on our vulnerabilities and consider where our most significant ones reside. Identifying and classifying these vulnerabilities is critical to our security policy – since a threat without a legitimate vulnerability has relatively benign impact. This creates a situation where not all vulnerabilities are made equal – and a vulnerability with no substantial threat will have a relatively low associated risk.
Our ultimate goal then should be not to measure risk but to measure impact. We calculate impact using the following formulae: Impact = Threats X Vulnerabilities. As organisations when we want to mitigate the impact a particular risk has upon our business, we implement controls to manage that risk and reduce our exposure. In cyber the approach is the same however the only element of the risk that we are able to control are the vulnerabilities. Since we have no control over the external threats, we logically seek to go about fixing as many vulnerabilities as possible.
While I do understand this approach it’s fundamentally flawed – and I’ll explain why. The number of vulnerabilities within your organisational infrastructure is not finite. There are always new & unidentified vulnerabilities within your environment, and even if there weren’t, the moment that you install, upgrade, remove or make changes to your network – the landscape has entirely changed. New vulnerabilities are being introduced all of the time because your network is constantly changing.
Is this the highest priority risk?
With a finite number of vulnerabilities every one that you fix reduces the attack surface – but in the real world this is not the case. Instead of aimlessly fixing vulnerabilities with no real threat, it makes sense for us to focus on those that have the most potential to cause harm to our organisation. Our vulnerabilities need to be classified, with action taken based upon that classification in an information driven approach. In other words – we need to tackle the highest priority risks first.
Is this the most cost effective way of reducing that risk?
When tackling these problems we need to calculate whether we are reducing risk in the most cost effective way. It’s an unfortunate reality that most executives only begin writing out the cheques following a serious breach. Believe it or not this can actually make the situation worse – and here’s why. Having a breach in the first place is a good indication that the company didn’t have enough people in place to manage, monitor and configure their existing equipment in the first place.
Throwing more money at the problem by purchasing new security products & services can spread those dwindling resources even thinner – further exacerbating the problem. The notion that these products provide a golden bullet solution to security problems is entirely a fallacy. These tools like any other are only useful when placed into the hands of a skilled professional that’s able to use them in a way that derives the most benefit for their organisation.
So let’s ask ourselves..
1. What is the risk?
2. Is this the highest priority risk?
3. Is this the most cost effective way of reducing that risk?
4. Are we investing our resources into the correct areas?
Cyber security expert by day and blogger by night. He shares his knowledge and experience with the world – with the goal of educating businesses and helping them to build more secure environments for themselves.