Archive for September, 2010

Contemplating My Goals for Risk Management Education

Sunday, September 26th, 2010

As I am getting ready to teach the debut session of my new SANS MGT442 course this week, I have been thinking a lot about what my goal was for the course. It has been a long road to develop this course. I think that I first pitched the idea to SANS in June of 2009. Around that time I felt like risk management wasn’t getting nearly enough attention in the information security field, and so many professionals didn’t know the first thing about assessing risk. We had organizations running a qualys scan, and thinking that was a risk assessment, and security managers escalating every vulnerability to executive management like it was the end of the world. Now, over a year later, every security conference has tons of presentations with risk in the title at least, and risk as become almost as big of a buzz word as virtualization or cloud. I have even seen some great strides forward in the research and implementation of some really robust and advanced risk analysis models, but are we any better off than a year ago?

Every time I have to interview candidates for a open position, I am amazed how many have nothing more than the equivalent of a Devry training in information security. They have a bunch of tools in their toolbox, and they know the so-called “best practices” for applying them. The problem is that they have no idea how to really analyze a situation and consider solutions outside the normal model. It’s like taking your car to the dealership these days, if the computer doesn’t say anything is wrong with the car, the mechanics have no idea how to troubleshoot the strange noise coming from under the hood. Security practitioners still follow a simple methodology: find vulnerability, patch vulnerability. They also have a long list of things that aren’t ever allowed, but ask them for a creative way to mitigate the risk without just saying no, and they are lost.

As I really think about my goals for this new two day course on information security risk management, it has always been my number one goal to: educate the field about how to look at a problem, understand the real risks, and find a solution that meets the business needs, while keeping the risk level in an acceptable range.

Since I have recently joined the Society of Information Risk Analysts, I have been exposed to some really fantastic work that will surely move our field towards the level of maturity and precision that we desperately need. But I look at the gaps in knowledge and skills in the field, and I know that the audience for my class just isn’t going to be ready to digest that depth on the first pass. First we need to help the profession to understand and develop basic risk models that can move their security programs out of the “village elder” type approach to risk predictions. If we can provide a strong foundation for dissecting a risk and building a security program around risk management, then it should be trivial to substitute in more precise analysis models later when you’re ready. In my experience, the organization has a hard enough time absorbing the basic concepts of residual risk and compensating controls, if you also throw in advanced concepts like the differences between likelihood and frequency, you will lose them completely. I have seen so many security programs try to take on too much too fast, only to see it rejected by the corporate culture. I have found more success setting out your long-term goal, which may include a sophisticated quantitative risk model, but keeping this vision to yourself. You need to slowly lead the organization towards that end, but in small bite size chunks that they can digest. If you structure your risk program right, you will have all the foundational steps in place to keep raising the level of precision as the business finds the limitations in the simple models for themselves.

If by the end of this course, students come out understanding how to really break down a risk and understanding how to recommend solutions to address the real exposure and not just the symptoms, I will consider the class a success. If they also understand how to implement an information security program based on these principles, then I know that our profession will be better for it. If done right, the security risk management program will be so integrated into the core business processes that the lines will start to blur between functions like security, business continuity, vendor management, and operations to the point that security won’t feel like an island in the organization, it will just be embedded in every business decision.