Where executives can’t see a clear or immediate need to address IT vulnerabilities, risk management techniques are a great approach to communicate from a management level to the executive level, says risk management specialist Gary Gaskell.
A former defence contractor and security professional in the finance sector, Gaskell presented twin tutorials on basic and advanced information security risk assessments at AusCERT2013.
Gaskell says that high-profile hacks such as Sony's 2011 PlayStation incident have brought issues of corporate liability and brand damage fallout to the attention of executives. Such realities are sometimes ill-explained in internal risk assessments as security professionals struggle to translate technical risk into the language of the business.
Gaskell gives the example of the degrees of vulnerability in penetration test reports as one way that a technical statement of risk can be misconstrued by executives.
A pen tester might rate a vulnerability as 'high' or 'extremely high', "but of course the managing director reads it and goes, 'I'm still alive today even though they said it was an extreme risk yesterday'," Gaskell says.
“A security manager has to make their CEO think, 'This is commonsense' and 'The sky hasn’t fallen, but it would be a good idea to manage these risks'.”
Gaskell believes understanding the executive mindset on risk management is the key to communicating the risk of inaction, however unlikely a scenario is. He sees "people in all walks of life" that have a black-and-white view of risk: “If it's not a likely risk, it's in the unlikely category". Sometimes, they're prepared to "gamble" on that basis.
Writing for your audience
Part of Gaskell's first tutorial focused on writing risk assessments "for the right audience”.
“So if security people send up a network security risk assessment to the CFO, the CFO’s eyes will just glaze over. Hence the decision maker for the business case for your security program doesn’t buy in as you’re talking your native language rather than the native language of the decision maker."
Gaskell advocates a multi-layered approach to creating risk assessments. "I typically recommend people have three layers of risk assessment: detailed technology on projects and systems; wrapping it up into a whole-of-IT level stuff; and then an executive-level business risk assessment," he says.
"So for example you've got a risk register managing network security-related risks, then you have one [assessment] at a CIO or IT manager level, and then one for the GM of operations essentially. You communicate at different levels."
He recommends that security pros think of the executive-level assessment as an "elevator pitch".
Gaskell also recommends using the ISO31000 risk management framework to guide assessments and ensure "that you have a reasonable spread of your controls to protect the whole environment".
Depending on the industry, Gaskell says formal threat assessments can also be a useful input to an internal risk assessment.
Gaskell ultimately sees risk management as a way to "put some discipline behind security management so it's not just a dark art".
“Risk management techniques are a good way to balance up the pros and cons of hundreds of controls to achieve a reasonable outcome.
"To obtain a clear and consistent view of a sound control environment, the best practice approach to the design of the security program uses risk management techniques. Risk management can ensure that no weak links in the (security) chain are overlooked.”