Risk Management can be a tricky business, and this is coming from a fairly straightforward perspective with a simple view of risk management (which means even I can understand it!). To the lay person the purpose of risk management is to find the risks and then remove the risks to the organisation, otherwise why bother?
The clue of course is in the word management. Many information security professionals already know that you can do one of four things to your risks, once identified:
- Mitigate (aka Manage), that is implement a control or carry out at activity that reduces the risk.
- Avoid, or basically just stop doing the thing that is causing the risk.
- Transfer, or just give the risk to someone else, like an insurer or a third party vendor.
- Accept, or just face facts that this risk is the price you pay for doing business in this area.
So let’s assume you have completed your risk assessment and applied at least one of these actions to each risk, does this mean you are done? Does this mean you have successfully removed all of your risks from your organisation? Unfortunately, not by a long chalk.
Risks are always going to be present in your organisation; there are the ones you know about albeit reduced, the ones you think are too small to worry about, and finally the risks you have no idea about.
With the risks you know about even though you have reduced them, even though they may have gone from scoring an 8 to a 4 (in ISO 27005 parlance) they still exist! They can still happen, and worse still, the day after you have measured it, your assumptions are technically out of date. And just to really make your day, they may have even evolved and become unrecognisable and therefore invalid in your risk register.
The smaller risks you deem to be at an acceptable level will also suffer in the same way. Again, in ISO 27005 parlance the likelihood of something happening may change dramatically, or perhaps the ease of exploitation. Even worse, the asset value that you are measuring your risks against may have changed which will have a number of far reaching impacts to your risk register. To that I mean that a project that was once of little importance to the organisation, or even a physical asset, may suddenly take on a more important role and therefore greater ‘asset’ level. All of this is going to have an impact on your risks and how they impact your organisation.
Finally, the risks you weren’t even aware of. To be honest, and by their very nature, there is not a lot you can do about these except consider the following advice which applies to all risks;
You should be clear on one thing, namely that risk management is not a one time activity. All of the text books and standards will say that your risk register needs to be reviewed every year or after every major change. Whilst I don’t disagree with this per se (and in fact a minimum of a yearly formal review is an absolute necessity), I think in reality this needs to be much more frequent. Really, reviewing your risks needs to be an organic part of your day to a greater or lesser degree, and dependent upon the type of environment you operate in.
This does not necessarily mean you need to pore over your risk registers every day, but rather make a concerted and formal effort to be aware of the changing ‘threat landscape’; you can do this through popular news sites (e.g. BBC, CNN etc), specialist news sites (e.g. SANS, Sophos Naked security etc), blogs of people you know and trust, and of course Twitter for instance. There are likley to be many examples, but each one of these sources is going to give you a constant stream of information that needs to be processed and reviewed in some away against your risk register. You may only make minor changes every month or so, or you may find more frequent changes dependent upon your environment, but either way you will be ensuring that the your risk environment is fresh and up to date.
Now that your risk register is up to date and managed well you can be assured that the information you have is accurate, timely and subsequently meaningful. What you do with that information however is even more important, and something that will be looked at in a later post. As always, your comments and questions are welcome.
(Artwork by Peter Spier from his book, RAIN.)
I can’t tell you the number of times I have sat on the other side of the table during a risk assessment or audit and not only been talked at by the auditor but also not even listened to. Unless what I or my colleagues are saying are a part of the accepted script the auditor expects to hear it can often fall on deaf ears.
It doesn’t matter if what I am saying is germane to the topic in hand, explains in more technical detail, or even if it addresses a number of questions old or yet unasked, the auditor blindly continues, or even just appears to switch off. How can this lead to a successful audit or assessment? To some, an audit or assessment is a sequence of activities to be completed in a set order and a set pace, and that will never result in quality findings. Approaching an audit or risk assessment from a less mechanical perspective will often derive results in unexpected ways.
Simply listening will give you at least two things:
- More information. It may not always be immediately relevant, but at some point in the day it will help you form a larger and more complete picture.
- Unprepared auditees will sometimes talk themselves into trouble! Nerves can make people do very silly things, and letting people engage their mouths before their brains can lead to some startling insights.
When you combine the above points you can often find what I call the “over specific response” occurring. What this means is that people will also sometimes be very specific in their responses, for instance when asked if a particular procedure has been tested, the response “Yes, this procedure has been tested” gives rise to so many other questions such as “when, where, and by whom?”, and yet at a casual listening it is a very positive response. Listening to the exact response and unpicking the precise verbiage is vital.
Additionally, there is one other aspect of listening that should be observed; that is, carrying on listening even when the other person has stopped talking. Just as nature abhors a vacuum, human beings as social animals abhor a silence. Staying silent for longer than is comfortable (at least to them) very often produces more talking and more information than they originally intended. When I first presented this thought just over a year ago in a risk forum a member of the Metropolitan Police in the audience later asked me if I had ever had interrogation training, as this was exactly one of the approaches they used! I would certainly never suggest that an audit or assessment is an interrogation, but there is very much an art to getting the maximum amount of information out of someone trying to give you the absolute minimum.
One rule of thumb to take away in this instance is a quote I first read in The Leaders Workbook by Kai Roer (@kairoer):
Try to keep in mind that you have twice as many ears as you have mouth, implying you should spend more time listening than talking.
That’s a pretty good ratio for any risk assessment or audit I think.
I have had to change the theme on this blog again unfortunately because the last theme was not supporting mobile devices very well. Given how much I use my iPad in the normal course of the day to check up on other peoples blogs I realised this was going to be an issue. I sincerely hope this is going to be the last change for at least six months (when I will be unveiling a more coordinated approach to my blog, presentations and the like).
I hope you find the change easier on your iPad.
The good news for me this last week was that I eventually took the CISSP exam and passed. I was obviously pleased and relieved, and I am currently going through the endorsement process. Despite the drubbing that the CISSP as a certification over the last year or so I have to admit that on the whole I was impressed with the depth and breadth of the subjects covered.
Of course the caveat to this is that I think this on the basis that the CISSP is an information security certification, not an IT security certification. There is plenty of content about fire extinguishers, foot candle illuminations of parking areas or even the legal constraints of transferring information outside of the EEA, all of which are important to my mind when taking into account the broader concepts of information security (especially when considering the Confidentiality, Integrity & Availability triangle). Much of the criticism I observed was around the relevance of topics like my previous three examples to IT security, to which I reply “It’s not”. There are sections that focus on these areas, but they quite rightfully don’t dominate the subject matter.
That said, there were areas that I thought were woefully under represented in the reference material that I used, for instance I disagreed with the definition of ISO 27001 versus ISO27002, their definition of an adequate security measure for WEP (hiding the SSID… really?) and other small points. I was however revising against the 2nd edition CBK which has now been updated to the third edition, so perhaps there have been updates in some of these areas.
The other area I struggled with was the relevance of some of the information required for the exam. The level of details required in areas like security architecture for models that actually aren’t in use any more or encryption techniques or even the finalists in the competition to decide what encryption method to use in what ultimately became AES… over twenty years ago! None of this is going to be useful to me in may day to day job at all.
But again, overall it really made me think about my “craft” and I have found it beneficial. There was an element of me taking this exam as a box ticking exercise given my current role, but this was mainly because I came to infosec quite late in my career and there were questions being asked as to why I didn’t have this qualification. It made sense to get it done now and out of the way as it were, and add to my CISM and CGEIT (and MBCS CITP… at this rate my business cards are going to have to be very wide.)
The big question for me now though is what’s next? CRISC or the CIPP/E? Risk or Privacy?