I recently had the pleasure of attending a CISO summit in Los Angeles and was surprised and pleased by the sense of community among the 30 or so CISOs in attendance. However, one of the six presentations given that day was particularly compelling. The speaker challenged the audience to come up with an answer to the question in the title (of this blog) and as I sat in the audience, a number of items crossed my mind – employee perpetrated fraud, natural disasters, and a whole host of other possibilities. His answer was (drum roll please) the “misperception of risk.” Now I had to think about that for a minute or two but by the end I was a believer.
Visualize a risk-belief spectrum with “exaggerated” far to the right and “underestimated” far to the left with space for various degrees in between. Given the fear uncertainty and doubt espoused by vendors and the top-down board of director reactions to newspaper headlines, this began to make sense to me – especially when felt as pressure on the CISO from the CIO or CEO to make IT a business enabler. In most cases the exaggerated risks get all the money and resources and the underestimated get zip.
Now I’m not going to say that I know where these things lay on your personal risk spectrum (you can classify them yourself), but below are just a few examples of the items that may need classification in the exaggerated to underestimated spectrum.
Quiet Malicious Code – Attackers do not want to kill the golden goose. The attacker wants to harvest information from an application or server for as long as possible. If it doesn’t ‘make noise’ the CISO has a lot of work to convince people that there’s a problem to throw resources at.
The Denial of Service attack (against the other guy) — we usually breathe a sigh of relief when this happens to someone else – but should we? How do we convince someone that this is a problem for us when it happened to someone else? There’s a saying I saw once in a bar that is particularly appropriate here, “We cheat the other guy and pass the savings on to you.” Meaning sooner or later, you’re that other guy.
Employees – Hey, the business would be great if we didn’t have all these people getting viruses, infecting each other, and stealing from us. Throwing resources at this problem means admitting that we actually have a problem. Getting someone to admit there’s a problem is the hardest in that 12-step IT risk recovery program.
Social Networks – The presenter told a story of how some proprietary information got out of the business via a business forum set up by it’s employees. The knee-jerk reaction from the CEO was to shut it down. But really, won’t these folks simply find someplace less (or more) visible to voice their opinions? Don’t we really want to at least be able to see/know what’s going on or what they are talking about?
The next question was, “What’s the mitigation strategy for the misperception of risk? The CISO speaker’s strategy is Objectivity, Influence, and Agility. He proceeded to outline a simple four-step process he goes through where objectivity is maintained throughout and any architecture changes to technology, people, or processes are agile by design.
- Prediction – Identify the objectives of attacks and methods
- Persistence – What ever action is taken we must have the means (money / people) to sustain the action over time. If we’re not going to get the resources maybe we don’t want to start.
- Patience – If were not going to fix it the first time, be watchful for an opportunity to arise again.
- Preparedness – We want to be able to have a built-in rapid response to an issue. I’ll add here the ‘broken window theory’, if we don’t respond quickly to the first broken window people think its OK to break another and another. If we fix the first one fast, we send a different psychological message.
With the average life span of the CSO or CISO in an organization to be around two years, I found this to be practical advise for a position constantly under pressure.