The Security Model is Broken, Part 2: The Risk Assumption Process

In February of this year, I published an article in SC Magazine called The Security Model is Broken. Because every organization is susceptible to a breach, we must rethink our security models and implement better preventive measures. That first article outlined some of the technologies and controls that enterprises should use to strengthen their security postures. In today's article, I will explain how an organization's risk assessment model should be updated to assure that the appropriate people are assuming risk and making the right decisions.

Risk based security model background

Ensure that whoever makes the decision to assume the risk has the proper purview and span of organizational control to assume all the inherent security risks—including reputational risks

Today, it is a generally accepted practice to justify and/or make decisions on security safeguards based on a risk assessment. But all too often, risk based security or the risk assessment process that is commonly practiced by many enterprises is flawed and misused to justify doing nothing or to delay the implementation of necessary security safeguards. Basically, the risk assessment process involves evaluating probable threats, their likelihood and impact against the cost of the security controls that would mitigate the threats. Risk assessment is usually performed by the security unit and the business unit; or someone in management makes the decision to either implement the security safeguard to mitigate the risk, or to assume the risk.

The underlying challenge is to ensure that whoever makes the decision to assume the risk has the proper purview and span of organizational control to assume all the inherent security risks—including reputational risks—associated with the decision.

How the risk security model is broken

Many CISOs or security units believe their job is done when they have presented the results of their risk assessment to management and they have assumed the risk, even if they disagree with management's decision. Many, if not most enterprises, have no formal risk assumption model to identify who can assume enterprise level risk, and have no escalation procedures when a disagreement occurs.

Also, many decisions are made by the wrong people for the wrong reasons. Most business units do not have the subject matter expertise to make decisions about security risks, and they do not appreciate the dynamic and changing landscape of cyber threats and the IT environment. Additionally, business people have conflicted goals such as expense, income, or project deadline pressures. These different drivers can—and many times do—cloud their judgment.

Finally, security assessments or risk based security practices are often used to justify doing nothing. Many enterprises use an ROI (return on investment) risk assessment methodology. There is no ROI in security safeguards, unless you are replacing or consolidating technologies; it is a judgmental risk mitigation or avoidance decision. Cybersecurity, like safety measures on airplanes, is a cost of doing business, period!

What needs to be done

Enterprises need a formal risk assumption model which clearly states who can assume security risks and which types of risks they can assume—similar to the approach that CFOs use to delegate obligatory financial authority for the enterprise. Just as important, the risk security model must delegate to the CISO arbitration powers over business risk assumption decisions. Such a documented approach enables the CISO to be an honest broker to escalate security risk assumption decisions with unfettered access to senior management, including the CEO and if need be, to the board of directors.

Enterprises need a formal risk assumption model which clearly states who can assume security risks and which types of risks they can assume

In my next article, I'll address transparency, why we need it and why we don't have it now.