As we in IT security scramble to put more and better controls in place to combat a changing array of cyber threats, we as an industry are facing an interesting dilemma: How do we assess the usefulness and value of all the controls we have deployed over the years and continue to have in place?
After all, as I talk to people across the cyber security industry, I almost never encounter anyone who can tell me a story about having turned off a security control once they turned it on. Yet, with the changing threat landscape, we clearly need to be adding new security technologies and processes to our already substantial arsenal.
It’s a bit like the continual propagation of electronic devices that find their way into our lives these days. If you’re like me, you just keep adding new gadgets to plug into your home’s electric circuits until your system is facing overload. Or, to conjure a more expansive image, the layer upon layer of cyber security controls that we keep adding looms like the growing trail of space junk that continues to orbit the earth. What goes up never seems to come down. Pun intended!
It is a concern that cyber security industry professionals have become increasingly aware of over the past several years. Are we going to just keep increasing and increasing our controls perpetually or do we have a way to analyze the usefulness and value of our controls and make changes accordingly?
While that sounds like a simple problem—it’s NOT—because we are not dealing with just straight return on investment (ROI) here. In the business world, we determine value and make a lot of investments based on ROI. If I spend X then I can expect a return of Y over a certain amount of time.
Assessing Controls Is Complicated
But with cyber security and risk mitigation, we’re dealing with something that may or may not happen. I can try to predict an occurrence with some amount of certainty but often I cannot get to a quantifiable number for the damage that would occur either from a cost perspective or a brand or reputation perspective if it did happen. So trying to get to an ROI for security controls is very very difficult.
Complicating the assessment challenge is the fact that you are not just evaluating a single security control in a vacuum. Controls are layered on top of one another to achieve defense in depth. So some of my controls are there to protect, some to deter, and some to detect. Still others let me speed my response time if I see something that’s of concern to me. And they could all be all focused on the same threat and the same risk. As our controls and processes mount, the complexity continues to compound.
From talking to people, it seems that we have all of the data to support a solution and perhaps we’re not using it very well or are trying to solve too complex a problem. For example, most of us have a good idea what the threats are. Many of us can understand where our vulnerabilities are in our systems and networks. It seems like we should be able to make simple calculations to create some sort of control evaluation. But there are too many changing variables within the multiple layers of control.
Defining Risk Basics
We at EMC’s Global Security Organization believe the challenge of evaluating and better managing security controls can be solved by breaking down the problem into simpler statements. We started by bringing all that data—findings, exceptions and vulnerabilities—together in single governance, risk and compliance platform—we are using RSA’s Archer GRC solution.
We then decided to create a fairly static set of variables to map everything back to. We chose to base our framework on ten basic risks combining the different types of data—intellectual property, customer data, and private data and regulated data—across the industry accepted goals of confidentiality, integrity, and availability. Using these risks as anchoring points, we can tie our findings, vulnerabilities, exceptions and controls back to one or more of these risks giving us a consistent reference point for evaluating controls. When we combine this framework with a corporate-level enterprise risk framework, we can map our IT risks back to specific operational risks for the company and regulatory risk.
One struggle in this process is how to articulate IT security risks in business terms. If I meet with a business executive and tell them that I’m concerned about a cross-site scripting vulnerability on a particular server in my DMZ, they’re probably not going to be able to understand what that could possibly mean. But if I can tie that vulnerability back to a particular server and say that a risk to the confidentiality of the data could result in compromising the privacy of an employee and subject us to fines or regulatory scrutiny, I’ve now put it in language business users can relate to. While our security organization has done this to an extent, we have tended to do it on a case-by-case basis, rather than having a system that will auto-generate this and put some figures, and metrics behind it.
So we don’t have it all figured out yet. There’s no single set of risks that work across every company and every industry. We think the ones we are using are pretty generic; but the point is that everybody needs to be able to do this at a minimum.
Our ultimate goal is to optimize our investment in information security controls to make sure we are spending our money on the right things that provide value to the company. And by doing that, we can increase our security effectiveness and perhaps reduce the “space junk” in our security control system.
Through collaboration as a community we can develop a better understanding why we do what we do in the realm of security and how to do it better. So in closing—what is your organization doing to optimize information security controls?