by Angela Genusa

Risk Management: 12 Keys for Locking Up Tight

Mar 01, 200113 mins
Risk Management

In a perfect world, a bit of common sense and a dash of due diligence would protect us from hackers, saboteurs and the common cold. Well, the world isn’t perfect, and we know we can never be completely secure. There is a measure of safety to be gained by following a formula of threat education, security breach prevention and risk mitigation. n “There’s no single answer,” says Bruce Schneier, CTO of security consultancy Counterpane Internet Security in San Jose, Calif., and the author of Secrets & Lies: Digital Security in a Networked World (Wiley, John & Sons, 2000). “I can’t say, ’Do these seven steps and you’ll be magically secure.’” Although every organization’s security infrastructure must be unique to be effective, Schneier and other experts point to the following essential ingredients. Pay close attention to these basic security issues.

1 Establish Accountability

Companies have traditionally relegated security to IS, viewing it merely as an administrative function and expense. However, security can no longer be a closeted IT function, says Michael Assante, cofounder and chief intelligence officer of LogiKeep, a security consultancy based in Dublin, Ohio. “It’s got to be a boardroom issue and not a backroom issue. It needs to become part of a business decision-making process, looking at system survival and business continuation issues. Accountability should fall on the shoulders of the business decision makers.”

As the liaisons between operations and management personnel, CIOs are uniquely positioned to champion IT security issues in their organizations, according to John S. Tritak, director of the Critical Infrastructure Assurance Office with the U.S. government. CIOs and other senior IT executives need to cultivate and maintain close relationships with senior operations, telecommunications, physical security, human resources and other executives in their organizations to develop and implement a comprehensive IT security plan.

CIOs must have the authority and the autonomy to immediately address security issues or react to breaches quickly, says the executive vice president of IT at a Fortune 500 financial services corporation. “You can’t create a ton of bureaucracy that makes it impossible for you to act or quickly react,” he says. “It’s called accountability.”

Some companies are hiring vice presidents of security and chief information security officers (see “Someone to Watch Over You,” Page 82) to put policy, processes and methodology in place. Some are hiring chief privacy officers (see “Oh No, Not Another O!” CIO, Jan. 15, 2001) to oversee privacy issues. However, these positions must be more than window dressing, security experts say.

2 Promote Awareness

A lack of awareness of the potential threats from the CEO down is a major barrier to implementing security. “It’s difficult to move a security initiative forward because most people internally see it as a bureaucratic administrative kind of thing,” says the CIO of a Fortune 1000 manufacturing company. “It doesn’t matter how many times you wave policies in front of them; it has a half-life of about five minutes in their minds.”

CIOs need to raise internal awareness of security among senior management and all employees through ongoing security awareness programs and wide distribution of policies and procedures. “It’s incumbent upon the CIO to keep this in people’s faces,” says the executive vice president of IT at a Fortune 500 financial services corporation.

3 Protect Your Assets

What are your company’s crown jewels and where do these critical assets reside? They may be private customer records, sales information, employee files or transaction records, proprietary pricing, formulas or recipes, and knowledge. “I’ve been told by CIOs that very often, there is not enough appreciation for the crown jewels of the company,” Tritak says. “As a result there is a tendency in some institutions to seek some sort of uniform level of security across the entire organization, which may not be adequate for the real security of high-end critical assets. You may be oversecuring some assets and undersecuring others.”

What are the IT assets that enable you to deliver products and services for your company? As companies increasingly depend on technology to deliver and store their crown jewels, the potential for theft or damage increases. Assigning a value to these mission-critical IT assets helps senior managers understand the value of IT to their success.

4 Maintain Vigilance

Security is a never-ending process. “People tend to think of security as something you do once in a while and then you can forget about it,” Tritak says. “’Well, we did it for Y2K; we’re done.’ It would be like asking, ’When can I stop doing marketing?’ Well, when do you want to go out of business?”

CIOs should conduct regular, ongoing audits of their company’s security infrastructures using an independent source, Tritak says. CIOs audited their networks in preparation for Y2K, assessed their risk and took action; they treated Y2K as a business issue. Now CIOs need to go beyond the lessons learned from Y2K and consider the consequences of business disruption from security breaches. “In the information age, you’re dealing in a very dynamic environment; the risks and vulnerabilities are changing constantly,” Tritak says.

Gaining the CEO’s and board members’ buy-in is also part of an ongoing security plan. “It’s buying in to a new way of assuring and securing your business,” Tritak says. “It’s part of a mind-set that is beginning to evolve to thrive and manage risk in an information age.” The goal is to create a trusted, reliable business environment. Failure to do so can have serious repercussions and destroy relationships with customers and investors.

5 Spend Carefully

Security decisions are often made in haste after news of a recent virus or attack. Some corporations react to the latest security threat by throwing a lot of money at protecting their systems from that specific threat. Forrester Research predicts select American companies will spend $19 billion on solving security problems by 2004. One of the myths the industry propagates is that more security is better, Schneier says. “More isn’t obviously better,” he says. “If I were a bank, I could strip-search every customer that walks into the bank. That improves security, but my business will fall apart.”

Rather than throwing dollars at the problem, CIOs should carefully incorporate security considerations in the acquisition, development and installation of new IT systems as a standard practice, according to security experts. Most security software packages and hardware configurations on the market are one-size-fits-all solutions designed to work in any organization. These products leave open many avenues of attack and threat, and, in the end, cost more.

CIOs who are stuck with legacy systems and putting security Band-Aids on patched-together networks face a game of catch-up, Schneier says. “You’re doing the worst job, and it’s more expensive.”

6 Survey the Threatscape

To adequately secure their companies, CIOs need to understand and monitor all the dangers?both internal and external?to their companies. Security threats to their businesses may include social, economic and geopolitical factors. Identifying those threats or “the enemy” is becoming more and more difficult as borders and boundaries dissolve around nations, organizational structures and individuals.

Geopolitical incidents pose new security risks with dire threats to U.S. corporations, Assante says. “The Internet gives people the ability to take action and do it in the anonymity of the Internet,” he says. “Instead of saying, ’You’ve got to have firewalls,’ CIOs need to focus on the threatscape.” To determine your company’s risk profile, enlist the help of the COO, CFO, corporate legal counsel, auditors, bond raters and insurance companies.

7 Mitigate Risk

CIOs must know what risk their businesses are willing to bear. Take the risk of shoplifting, for example. In the brick-and-mortar world, companies have long understood this “acceptable” risk as the cost of doing business and mitigated it with security measures. Grocery stores post sensors at exits and use surveillance cameras and store guards. Jewelry stores keep gems under lock and key, and employees carefully watch as customers handle merchandise. Apparel stores put garment tags on clothing and sensors on the doors.

Security in the networked world is no different, Schneier says. “It’s all about understanding what the risks are and accepting those risks, mitigating them technologically, procedurally or contractually.

Schneier illustrates acceptable risk with a U-shaped curve. “On the far right are very expensive security and no or low losses to attack,” he says. “On the left at the other top of the U are very expensive losses and no security. In the middle is some sweet spot: just enough security and just enough losses. Where that sweet spot is will be different for every company, depending on their risk profile.”

8 Embrace Risk

CIOs should approach security as risk management, rather than threat avoidance. Some risk is good, say security experts. “The higher the risk, the higher the profits,” says Mudge, vice president of research and development at @Stake in Cambridge, Mass.

Good risk management depends on a company’s business model, its risks and the value of the transactions at risk, Schneier says. “If you think of the credit card industry, the threats are enormous,” he says. “They still haven’t solved the problem. But if I go to the credit card companies [to sell them security], they tell me, ’We’re making a fortune. Shut up.’ That’s the right way to think.”

To win the dollars you need for security, conduct a threat analysis based on your company’s business model, Mudge says. Then build a business case for senior management, presenting security as a revenue generator, not an expense. An incentive approach, as opposed to a liability approach, gives you a much better chance of getting an adequate security budget.

“If I say, ’I need a million dollars to minimize the chances we will potentially lose a million dollars,’ it will be tough to acquire that budget,” Mudge says. “It’s a lot easier to get that money if I say, ’I need $1 million to enable us to drive more revenue. With our existing architecture, we can do only 1,000 transactions per day, but with this new architecture we could do 5,000.’” Pitched as an opportunity and strategic advantage rather than a potential loss, security becomes a fortuitous byproduct, he says.

9 Mirror the Business

If you look at your company’s operating system and network, and you can’t tell what it’s designed for, your company is accepting undue risk, Mudge says. “The standard security profile is not the same at any given time and at any given company,” he says. “Your business model should define your security stance, and your security must mirror your business.”

Security is a state of mind engineered and designed into the infrastructure, rather than vice versa. A well-designed architecture eschews superfluous services and unnecessary risk, Mudge says. “Fort Knox was designed with big walls for good reason?they knew what they were going to be storing there. They knew what their business was.”

It’s also much more efficient if you design security into your infrastructure from the beginning, Schneier says. “If you just finished building a bank and then you figured out you need a vault, an alarm system and cages for the tellers, suddenly you’re redoing everything.”

10 Go Beyond Technology

IT executives have typically mitigated security risks with one-size-fits-all hardware and software, believing these tools would make their companies secure. There is no such thing as being “100 percent secure,” say security experts. “You never go into a store and say, ’Sell me a lock that prevents all burglaries’ or ’Sell me a firewall that will prevent all hackers.’” Schneier says. “Buying a lock for your door is part of a very complex system of prevention, detection, alarm and response, police force, deterrence?all of those things combined. If you’ve never been burglarized, it’s because of that [combination], not because of some magic piece of technology. The Net is the same way.”

As in the real world, if someone really wants to break in, they’ll find a way to do it. Firewalls, digital watermarks and biometrics are no match for a determined hacker.

Derek Harp, chief executive officer of LogiKeep, agrees. “Technology solutions are not the solution,” he says. “People are exploiting vulnerabilities and creating tools to escape detection. Time and time again, technology has fallen short.”

Relying solely on technology to solve security woes is a recipe for disaster, say security experts. “CIOs have been sold a bill of goods by security companies [that say,] ’Here’s our magic security dust: Buy a firewall, buy a PKI [public-key infrastructure], buy a security detection system, buy this,’” Schneier says. “They’ve been screwed a lot of times.”

11 Detect and Respond

Detection response is much more effective than prevention. “You have to be watching 24/7/365,” Schneier says. “You can’t put a sign on the server that says, ’Please restrict all hacking from Monday through Friday between 8 and 5.’ If you don’t have someone watching it 24/7/365, you’re going to get whacked.”

Schneier recommends that CIOs outsource security detection and response. “It’s the main reason no one has their own fire department,” he says. “You never know when a fire is going to break out. If you did your own [detection and response], it would be a few months of boredom and then a few minutes of panic. It makes no sense for you as a business to have your own fire department.”

12 Educate Others

Most often, people are the weakest link in the security chain. Security is inherently a people problem because people are the network. CIOs need to educate employees about security risks and threats, from e-mail viruses to protecting proprietary information, Tritak says.

Employees who would never consider leaving their house key under the doormat don’t think twice about posting their network passwords under their mouse pads. For hackers skilled in “social engineering,” coaxing network passwords from most employees is disarmingly simple. Most employees are also unaware of simple security risks, such as sending proprietary information by e-mail.

The CIO of the Fortune 1000 manufacturing company tells of an executive who wanted to work on a document containing proprietary information over the weekend and e-mailed the document to himself at home. “This document went out over the Internet,” the CIO says. “Who knows what route it traveled over the world, what servers it hit or who saw it. This person never thought once about that and didn’t realize that it wouldn’t be totally secure. People don’t think about it. They’re thinking about doing their job, working at home, and the easiest way to get it there is to e-mail it to yourself at home. It’s like ’Wake up!’”