To manage risk, you have to first define it. What stuns me is how often security professionals that have been in this field 5, 10 or even 15 years are so lost in the technical weeds they forget (or never truly learned) the fundamentals of what we do. So, just to recap for those of us who have forgotten (and those who are new to the field), here are the five key tenets of cyber security.
- Mission: I hate to break it to many security professionals out there, but your organization does not exist to be secure, it exists to get things done. Our job in cyber security is to support the mission of the organization, and that means manage risk to an acceptable level. That means your job is not to achieve perfect security, your job is to achieve "good enough" (I'm channeling my inner Marcus Ranum here). That also means getting hacked is okay. The goal is resilience, the ability to quickly identify and minimize the impact of an incident so your organization can continue its mission.
- Manage: Amateurs mitigate risk, professionals manage risk. If you are confused by the difference, you need to read some of Bruce Schneier's books. There are three ways to manage risk: you mitigate it, you accept it or you transfer it. If you focus only on mitigating risk, you are falling into one of the most common mistakes security professional make. Every security control has a cost, and sometimes that cost is far more then the risk we reduce (changing passwords every 90 days anyone?). Whenever you look at mitigating risk, you also have to calculate what the cost is to the organization. That is why organizations may decide to accept the risk or transfer it instead of trying to mitigate it. Still confused? Remember Tenet #1, your job is to support the organization's mission.
- Risk: If our job is to help organizations manage risk, you would think people could define it. Many can't. Some industries have managed risk for literally thousands of years, we are not the first to deal with it. At it's core, risk is the likelihood of an incident times the harm of that incident. For our world in cyber security, likelihood is made up of Threats and Vulnerabilities. The more threats you have, the more motivated they are, and/or the more skilled/resources they have, the more likely you will have an incident. The more vulnerabilities you have, the more likely you will have an incident. Confusing the two terms? Keep it simple, threats exploit vulnerabilities. By reducing any one of these three variables, you reduce risk.
- Decision: Remember our job is to support the organization's mission. That means when dealing with a cyber security challenge, you may not be the one to make a decision. Instead you may find yourself explaining the risk to leadership, the different options to manage that risk, and they make the decision. Remember, cyber security is not a technical issue, it is ultimately a business issue.
- The Big Three: Managing risk is based on three core areas: Technology, Process and People. I can't believe how many strategic security presentations, workshops, books and articles I have read that started with this and yet, far too many organizations focus on just technology. Want to know why your systems weren't patched? Failure in processes. Insecure code in a web application? Poor SDLC processes. Infected systems and lost devices? Lack of training of people. We have hit the point of diminishing returns with Technology but continue to fail in the Process and People side.
As you progress through your career you will often be challenged with unique situations and have to make tough decisions. When in doubt on what is the best course of action, always come back to what your ultimate goal is and start from there. To learn more about managing human risk, check out these upcoming MGT433 courses, webcasts and the Security Awareness Summit.