Risks, Risks Go Away, Come Back Another Day

2 Comments

rain34Risk Management can be a tricky business, and this is coming from a fairly straightforward perspective with a simple view of risk management (which means even I can understand it!). To the lay person the purpose of risk management is to find the risks and then remove the risks to the organisation, otherwise why bother?

The clue of course is in the word management. Many information security professionals already know that you can do one of four things to your risks, once identified:

  1. Mitigate (aka Manage), that is implement a control or carry out at activity that reduces the risk.
  2. Avoid, or basically just stop doing the thing that is causing the risk.
  3. Transfer, or just give the risk to someone else, like an insurer or a third party vendor.
  4. Accept, or just face facts that this risk is the price you pay for doing business in this area.

So let’s assume you have completed your risk assessment and applied at least one of these actions to each risk, does this mean you are done? Does this mean you have successfully removed all of your risks from your organisation? Unfortunately, not by a long chalk.

Risks are always going to be present in your organisation; there are the ones you know about albeit reduced, the ones you think are too small to worry about, and finally the risks you have no idea about.

With the risks you know about even though you have reduced them, even though they may have gone from scoring an 8 to a 4 (in ISO 27005 parlance) they still exist! They can still happen, and worse still, the day after you have measured it, your assumptions are technically out of date. And just to really make your day, they may have even evolved and become unrecognisable and therefore invalid in your risk register.

The smaller risks you deem to be at an acceptable level will also suffer in the same way. Again, in ISO 27005 parlance the likelihood of something happening may change dramatically, or perhaps the ease of exploitation. Even worse, the asset value that you are measuring your risks against may have changed which will have a number of far reaching impacts to your risk register. To that I mean that a project that was once of little importance to the organisation, or even a physical asset, may suddenly take on a more important role and therefore greater ‘asset’ level.  All of this is going to have an impact on your risks and how they impact  your organisation.

Finally, the risks you weren’t even aware of. To be honest, and by their very nature, there is not a lot you can do about these except consider the following advice which applies to all risks;

You should be clear on one thing, namely that risk management is not a one time activity. All of the text books and standards will say that your risk register needs to be reviewed every year or after every major change. Whilst I don’t disagree with this per se (and in fact a minimum of a yearly formal review is an absolute necessity), I think in reality this needs to be much more frequent. Really, reviewing your risks needs to be an organic part of your day to a greater or lesser degree, and dependent upon the type of environment you operate in.

This does not necessarily mean you need to pore over your risk registers every day, but rather make a concerted and formal effort to be aware of the changing ‘threat landscape’; you can do this through popular news sites (e.g. BBC, CNN etc), specialist news sites (e.g. SANS, Sophos Naked security etc), blogs of people you know and trust, and of course Twitter for instance. There are likley to be many examples, but each one of these sources is going to give you a constant stream of information that needs to be processed and reviewed in some away against your risk register. You may only make minor changes every month or so, or you may find more frequent changes dependent upon your environment, but either way you will be ensuring that the your risk environment is fresh and up to date.

Now that your risk register is up to date and managed well you can be assured that the information you have is accurate, timely and subsequently meaningful. What you do with that information however is even more important, and something that will be looked at in a later post. As always, your comments and questions are welcome.

(Artwork by Peter Spier from his book, RAIN.)

10 Rules of Risk Management… In 10 Movie Quotes

3 Comments

I had an absolute blast last night presenting at the Acumin RANT forum (https://www.rantforum.com) on the topic of “10 Rules of Risk Management… In 10 Movie Quotes”. The premise was simple – people don’t remember rules or dull facts, but they do remember things that emotionally touch them in some way. Each quote and movie opened up a conversation on an aspect of risk management (although the term “rule” was a little inaccurate of course). Given it was the RANT forum, and I was competing for the attention of the audience against the allure of a free bar, there was plenty of opinion and discussion flowing around the room throughout. Hopefully a few of the points I was trying to make will have stuck as a result of quotes such as “You’re gonna need a bigger boat” or “I see dead people”.

I felt the audience engaged and participated throughout with lots of very verbal agreement and disagreement throughout, and it was exciting to be right at the centre of the maelstrom. If you have never been to a RANT before just imagine one person being surrounded by a large number of people only a few feet away; with your back to the projector screen, there is no lectern to hide behind and no stage to stand on. It’s do or die, and a  #Fail never far from your thoughts!

Not everyone agreed with the points I was making of course but that just generated further conversation. I had some excellent follow up conversations with a number of people, including a great idea for my next presentation which a stated up front I might shamelessly steal – I think i got his agreement that doing so was OK! I had some very positive feedback afterwards as well for which I am very appreciative of; if you are reading this and want to provide more feedback, of both kinds, then please do. Without wishing to sound too “new age”, feedback is a gift you can give someone that will allow them to grow and improve. Without it we continue to make mistakes and miss the opportunity to learn.

Gemma (from Acumin) and I tried something new this time as well, filming the presentation with two cameras. It will take me a few days to splice the footage together, but as soon as it is done I will have it posted here. I know some of those who attended were interested in both reviewing and sharing the footage, as well as the slides; these are below, as well as a slideshow of the deck. I use Keynote  for my presentations, so the PowerPoint conversion is never a true representation. If in doubt, use the PDF. Someone mentioned last night that they may want to link to the content here too. I have no objections to this, just credit me and don’t muck about with the content!

My thanks to Acumin for hosting the evening, and thank you to all of you who took part, especially the very lucky prize winners! (If you wanted a pen but didn’t get one let me know and I will do my best to send one to you).

This slideshow requires JavaScript.

Files for download:

PDF – 10 Rules of Risk Management

PPT – 10 Rules of Risk Management

Keynote – 10 Rules of Risk Management (native)

Movie from the evening – Coming Soon

“An Anatomy…” at the BCS

Leave a comment

A short post to give the Wiltshire branch of the BCS a pointer to the slides from the presentation I gave last week on Tuesday 24th July in Swindon. It was an excellent evening, although I suspect the turnout was somewhat diminished by the weather!

The audience also included members of the IET which bought a very interesting slant to the questions at the end. I have also exchanged a few views with folks over Linkedin as well, and if you are still awaiting a response from me please bear with me!

The one thing that did however fail was the video recording of the talk; unfortunately it gave out halfway. I was going to edit the footage anyway and then perhaps link to an alternative recording of the same talk, but I have taken the decision not to as it is a messy compromise to try and stitch two different talks together to get the entire content in one place. As a result I have decided to simply link to a previous recording, specifically the BsidesLondon one I gave in April.

So, thank you Geoff Hunt for having me along to speak to the Wiltshire branch of the BCS (where I am also a largely absent member of the committee!) and especially thank you to the folks in the audience for your interest and your questions. If any of you do happen to have any more questions, please don’t hesitate to ask them in here, via email or Twitter. Any feedback is also of course very much welcomed.

The video can be found here, and the slides can be found here (note that the presentation is originally in keynote format, the PPT export may look slightly different).

An Anatomy of a Risk Assessment at BSidesLondon (Updated)

Leave a comment

(Updated) The lovely people at @twistandshoutUK and @j4vv4d have very kindly sent me the recording of my presentation. I have inserted it below, just above the slideshow so you can follow along and pause the slideshow in time with the presentation!

Here are the slides from my presentation at todays BSidesLondon. I will add the video of the presentation in a few days once I get a copy from the organisers and process it.

As always, comments are welcome; let me know if you loved it, hated it or were even perplexed by it. Every comment is a valuable piece of learning for me!

This slideshow requires JavaScript.

You can also find a downloadable version of the presentation directly here.

When Security Collides With Life

Leave a comment

I will explore this in more detail in a later post or presentation, but I have just had a very engaging conversation regarding what we all lose when we think too much about security. My colleague was expounding the joy of sharing free wifi amongst his neighbours when of course I (in my role as the security chappy) immediately informed him of the number of cases of people being arrested because someone was downloading illegal content from their unsecured wifi connection (see http://bit.ly/yiy8QW  as an example, albeit in the USA although Google gives plenty of other examples), and confidently informed him they securing his wifi was the only sensible course of action.

His response was robust and convincing, and initially threw me off guard; ” I would prefer to share my wifi amongst my community than to close it off against the tiny chance of it being abused”. He then summed  it up in terms that really made sense to me; “I prefer to actively engage with these kinds of risks than to isolate myself from them and lose the multitude of benefits it brings me”. Initially I couldn’t accept this. Why on earth is someone willing to open themselves to these kinds of risks, where even the hint of wrong doing can ruin a persons life? Then I realized I deal with this in exactly the same way in my day job; risk acceptance.

Everybody’s attitude to risk is different. Indeed every company and every senior management team has a different attitude to risk, and the line that is drawn between an acceptable and an unacceptable risk is a moveable feast, even within the same organisation. My colleagues attitude is that of a risk happy organisation, mine is that of a risk averse organisation.

And to think, I had never considered myself risk averse until today!