BreachExchange mailing list archives
Is Your Security Program Effective? 7 Must-Ask Questions
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 8 Jan 2014 11:22:27 -0700
http://www.informationweek.com/risk-management/is-your-security-program-effective-7-must-ask-questions-/d/d-id/1113349 Business leaders can, and should, insist on metrics to prove protection efforts are worth the money. As we put the final touches on 2014 budgets, many security leaders are asking for more money now to keep “bad things” from happening later. CEOs and CISOs have done this dance for years. But today I see many business leaders asking, “What do we have to show for all of these information security investments? How do I know we’re spending the right amount? How do I know our security program actually works?” This last question is especially tricky. You’ve either had a security breach or you haven’t. If you have had a major incident, were you unprepared or just unlucky to be targeted by a high-powered attacker? If you’ve not had a major breach, is that because of a good security strategy? Or did you just get lucky? Can you even know for sure? The correct answer to these questions is: “Risk reduction as borne out by our risk management program.” I’ll explain what that looks like in a moment. But first, here are seven questions business leaders should ask their CISOs, and the answers that should worry them. 1. “How do I know our risk management program works?” (Red-flag answers: “I don’t know,” or “We use X and X is a best-practice.”) 2. Do we have a defined risk management methodology? (Red-flag answer: “No.”) 3. Where did our methodology come from? Which interdisciplinary techniques do we use? (Red-flag answers: “We invented our own,” or “I don’t know.”) 4. How do we measure probability, frequency, and business impact? Do we use ranges of numbers? (If the answer is “no,” you might be in possession of a red flag.) 5. Does our risk management methodology require detailed, calibrated estimates? Is the CSO/CISO calibrated? (If the answer to either question is “no,” well, you know what color flag you have.) 6. Can the CSO/CISO explain the “base rate fallacy”? (The answer should be “yes.”) 7. Do we measure probability, frequency, and impact with a scale, like “high,” “medium,” and “low”? Do we use risk matrices or heat maps to summarize risks? (If the answer to both questions is “yes,” that’s a red flag. Gotcha!) If you’ve asked these questions, chances are you’ve also gotten a lot of wrong answers. You’re not alone. Most companies use what I call a “qualitative” approach that, by definition, focuses on qualities, attributes, or characteristics of things. Examples include marking off checklists of compliance requirements, benchmarking the company with peers, and so forth. While easy to do, qualitative approaches by themselves don’t answer the important questions. Just because my peers are doing X, why does that make X the right approach for us? (...)
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Is Your Security Program Effective? 7 Must-Ask Questions Audrey McNeil (Jan 08)