Saturday, June 27, 2009
Enterprise Architecture: Risk is a four letter word
I bet the CISSP and PMI crowd will churn on this blog post. Anyway, here are ten things to consider...
1. security risk is quite different than business risk that consists of forecasting of investing resources to produce a profit. It also has no relationship to IT risk that forecasts probabilities that new enterprisey product you purchased and would like to implement using Indian outsourcing will be financially successful (we know that technical success is mediocre at best when outsourcing).
2. Security risk management has never been demonstrated to be valid. No study has ever been published to demonstrate the validity of information security risk assessment, measurement, and control based on real experience.
3. With rapidly expanding regulations, risk is transforming from risk of rare incidents to risks of failure to meet the regulatory requirements and the impacts of penalties that might ensue.
4. Top management underfunds, undersupports and underrepresents information security is because information security is represented to management as being based on intangible risk reduction that is easily refuted or ignored. Risk reduction is a weak justification for security.
5. Information Security Practitioners should show that they are following industry-wide best practices for processes, controls and monitoring. Constant education and networking will be required to maintain this state. If the vast majority of modern attacks are all about web application security, how can so many IT security departments not even have a clue about OWASP nor even send at least one of their members for representation purposes?
6. Ask a CISSP how they would have calculated risk of a terrorist attack on September 10th or whether an airline should have purchased secure cockpit doors. They did exist, why didn't airlines own them? Was it because of risk?
7. Security isn't hard. It is actually easy. Is there more risk when you apply your CMMI level 13 antiprocess layered on top and it only takes someone with kindergarten competence ten minutes to break in. I once hacked into a bank with an Abacus while riding a skateboard backwards in a snowstorm. This isn't ridiculous. Your focus on process is. Process is not a substitute for competence.
8. Why is security something treated as a black art. It isn't special, it simply requires about ten minutes more time than the average IT executive spends in order to understand. It has to become part of your job. No processes, no checklists, etc. Kinda like using toilet paper after you create another sticky idea. There is lots of risk if you don't think about it this way.
9. Are you annoyed with security professionals who pontificate with humorless monotone legalistic rambling that no one understands? How can other understand risk if they don't even understand what you are saying? Who cares if security is aligned with the business, how about security folks learning to communicate like other humans? Throw out all those policies that no one reads nor understands.
10. July 4th 2009 is when I not only declare that I will be retiring from the blogosphere but will also declare that security will become irrelevant. The bad guys are winning and the good guys just don't have a long enough attention span to win. I am taking my ball and going home.
I am off to the races to be the first to hack into a major corporations mainframe with a butterknife and some twine. I wonder if I twitter it, will someone hire me as their next CTO as your enterprise is doomed unless you realize that risk is nothing more than a four-letter word for perception management. To mitigate risk you have to focus on reality and the best way to do so is to keep it real...
| | View blog reactions1. security risk is quite different than business risk that consists of forecasting of investing resources to produce a profit. It also has no relationship to IT risk that forecasts probabilities that new enterprisey product you purchased and would like to implement using Indian outsourcing will be financially successful (we know that technical success is mediocre at best when outsourcing).
2. Security risk management has never been demonstrated to be valid. No study has ever been published to demonstrate the validity of information security risk assessment, measurement, and control based on real experience.
3. With rapidly expanding regulations, risk is transforming from risk of rare incidents to risks of failure to meet the regulatory requirements and the impacts of penalties that might ensue.
4. Top management underfunds, undersupports and underrepresents information security is because information security is represented to management as being based on intangible risk reduction that is easily refuted or ignored. Risk reduction is a weak justification for security.
5. Information Security Practitioners should show that they are following industry-wide best practices for processes, controls and monitoring. Constant education and networking will be required to maintain this state. If the vast majority of modern attacks are all about web application security, how can so many IT security departments not even have a clue about OWASP nor even send at least one of their members for representation purposes?
6. Ask a CISSP how they would have calculated risk of a terrorist attack on September 10th or whether an airline should have purchased secure cockpit doors. They did exist, why didn't airlines own them? Was it because of risk?
7. Security isn't hard. It is actually easy. Is there more risk when you apply your CMMI level 13 antiprocess layered on top and it only takes someone with kindergarten competence ten minutes to break in. I once hacked into a bank with an Abacus while riding a skateboard backwards in a snowstorm. This isn't ridiculous. Your focus on process is. Process is not a substitute for competence.
8. Why is security something treated as a black art. It isn't special, it simply requires about ten minutes more time than the average IT executive spends in order to understand. It has to become part of your job. No processes, no checklists, etc. Kinda like using toilet paper after you create another sticky idea. There is lots of risk if you don't think about it this way.
9. Are you annoyed with security professionals who pontificate with humorless monotone legalistic rambling that no one understands? How can other understand risk if they don't even understand what you are saying? Who cares if security is aligned with the business, how about security folks learning to communicate like other humans? Throw out all those policies that no one reads nor understands.
10. July 4th 2009 is when I not only declare that I will be retiring from the blogosphere but will also declare that security will become irrelevant. The bad guys are winning and the good guys just don't have a long enough attention span to win. I am taking my ball and going home.
I am off to the races to be the first to hack into a major corporations mainframe with a butterknife and some twine. I wonder if I twitter it, will someone hire me as their next CTO as your enterprise is doomed unless you realize that risk is nothing more than a four-letter word for perception management. To mitigate risk you have to focus on reality and the best way to do so is to keep it real...