BSIMM update (informIT)

[James.McGovern at thehartford.com (McGovern, James F. (eBusiness))]

While Wall Street's definition of risk collapsed, the insurance model of
risk stood the test of time :-)

Should we explore your question of "how are risk levels defined in
business terms" more deeply or can we simply say that if you don't have
your own industry-specific regulatory way of quantifying, a good
starting point may be to leverage the OWASP Risk Rating system?

I also would like to challenge and say NO to prescriptive. Security
people are not Vice Presidents of the NO department. Instead we need to
figure out how to align with other value systems (Think Agile
Manifesto). We can be secure without being prescriptive. One example is
to do business exercises such as Protection Poker.

Finally, we shouldn't say yes to regulatory mandates as most of them are
misses on the real risk at hand. The challenge here is that they always
mandate process but never competency. If a regulation said that I should
have someone with a fancy title overseeing a program, the business world
would immediately fill the slot with some non-technical resource who is
really good at PowerPoint but nothing else. In other words a figurehead.
Likewise, while regulations cause people to do things that they should
be doing independently, it has a negative side effect on our economy by
causing folks to spend money in non-strategic ways.

-----Original Message-----
From: sc-l-bounces at securecoding.org
[mailto:sc-l-bounces at securecoding.org] On Behalf Of Benjamin Tomhave
Sent: Tuesday, February 02, 2010 10:19 PM
To: Arian J. Evans
Cc: Secure Code Mailing List
Subject: Re: [SC-L] BSIMM update (informIT)

<soapbox>While I can't disagree with this based on modern reality, I'm
increasingly hesitant to allow the conversation to bring in risk, since
it's almost complete garbage these days. Nobody really understands it,
nobody really does it very well (especially if we redact out financial
services and insurance - and even then, look what happened to Wall
Street risk models!), and more importantly, it's implemented so shoddily
that there's no real, reasonable way to actually demonstrate risk
remediation/reduction because talking about it means bringing in a whole
other range of discussions ("what is most important to the business?"
and "how are risk levels defined in business terms?" and "what role do
data and systems play in the business strategy?" and "how does data flow
into and out of the environment?" and so on). Anyway... the long-n-short
is this: let's stop fooling ourselves by pretending that risk has
anything to do with these conversations.</soapbox>

I think:
 - yes to prescriptive!
 - yes to legal/regulatory mandates!
 - caution: we need some sort of evolving maturity framework to which
the previous two points can be pegged!

cheers,

-ben
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, 
confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, 
dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender 
immediately by return e-mail, delete this communication and destroy all copies.
************************************************************