Is Your Security Program Effective? 7 Must-Ask Questions

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.informationweek.com/risk-management/is-your-security-program-effective-7-must-ask-questions-/d/d-id/1113349

Business leaders can, and should, insist on metrics to prove protection
efforts are worth the money.

As we put the final touches on 2014 budgets, many security leaders are
asking for more money now to keep “bad things” from happening later. CEOs
and CISOs have done this dance for years. But today I see many business
leaders asking, “What do we have to show for all of these information
security investments? How do I know we’re spending the right amount? How do
I know our security program actually works?”

This last question is especially tricky. You’ve either had a security
breach or you haven’t. If you have had a major incident, were you
unprepared or just unlucky to be targeted by a high-powered attacker? If
you’ve not had a major breach, is that because of a good security strategy?
Or did you just get lucky? Can you even know for sure?

The correct answer to these questions is: “Risk reduction as borne out by
our risk management program.” I’ll explain what that looks like in a
moment. But first, here are seven questions business leaders should ask
their CISOs, and the answers that should worry them.

1. “How do I know our risk management program works?”
(Red-flag answers: “I don’t know,” or “We use X and X is a best-practice.”)

2. Do we have a defined risk management methodology?
(Red-flag answer: “No.”)

3. Where did our methodology come from? Which interdisciplinary techniques
do we use?
(Red-flag answers: “We invented our own,” or “I don’t know.”)

4. How do we measure probability, frequency, and business impact? Do we use
ranges of numbers?
(If the answer is “no,” you might be in possession of a red flag.)

5. Does our risk management methodology require detailed, calibrated
estimates? Is the CSO/CISO calibrated?
(If the answer to either question is “no,” well, you know what color flag
you have.)

6. Can the CSO/CISO explain the “base rate fallacy”?
(The answer should be “yes.”)

7. Do we measure probability, frequency, and impact with a scale, like
“high,” “medium,” and “low”? Do we use risk matrices or heat maps to
summarize risks?
(If the answer to both questions is “yes,” that’s a red flag. Gotcha!)

If you’ve asked these questions, chances are you’ve also gotten a lot of
wrong answers. You’re not alone. Most companies use what I call a
“qualitative” approach that, by definition, focuses on qualities,
attributes, or characteristics of things. Examples include marking off
checklists of compliance requirements, benchmarking the company with peers,
and so forth. While easy to do, qualitative approaches by themselves don’t
answer the important questions. Just because my peers are doing X, why does
that make X the right approach for us?

(...)

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.