This article can also be found in the Premium Editorial Download "Information Security magazine: Screen test: App-layer controls beef up perimeter firewalls."
Download it now to read this article plus other related content.
Critics and pundits frequently charge infosecurity with having the same level of scientific rigor as witch doctoring -- in other words, lacking governance.
Both witch doctoring and infosecurity have elaborate tradition and ritual intended to exorcise hostile forces, and both find it difficult to provide credible evidence that they're beneficial. Practitioners often make a good show of it, but you'll likely find a little man pulling levers and shouting into a microphone if you look behind the curtain.
A number of occupations considered more "mainstream" and "mature" approach risk in equally unproductive ways. Lawyers and accountants, for example, are preoccupied with preventing and recovering from undesirable events. While they've certainly had some success, they don't demonstrate a consistently methodical approach to risk management. Ask a contract lawyer to analyze a business agreement, or an accountant to look at a set of books, and you'll usually get an awkwardly long laundry list of things that could go wrong. What you won't get is a prioritization of these potential hazards in terms of likelihood, cost and overall business implication.
Practitioners in any specialty can easily categorize vulnerabilities and potential hazards, but few have been trained to understand and communicate the relative significance of specific bad outcomes in support of risk optimization. If infosecurity professionals practice voodoo, at least we're in respectable company.
Practitioners fall into two traps: those paralyzed by a lack of statistical information, and those who create absurdly precise numeric models. Mature risk management professionals base decisions on statistically valid historical data. But they also realize that many of the most important business decisions are unquantifiable. Making good choices requires an understanding of what has succeeded and failed in the past, and the courage to act.
The good news: Upper management views infosecurity as mandatory for corporate governance. Not only can a greater number of infosecurity positions be considered permanent, but the potential for career advancement is improving. Senior positions for risk management professionals are being created, making infosecurity a path to a C-level position.
The bad news: Increased governance is a lot like going on a date with a chaperone -- it tends to be less exciting. Executives aren't interested in subsidizing experiments with bleeding-edge security technology, so there will be a lot fewer implementations of pricey solutions. Instead, they want insightful risk reports written in appropriate business language. In turn, sophisticated process managers will supplant specialized technicians.
It's going to be hard to avoid this wave of change. Fortune 500s and government agencies have been the first to implement enterprise-wide risk management efforts, but even small firms can be affected by privacy legislation that forces them to better manage operational risk.
The realization that many organizations are now required to deal with infosecurity shouldn't go to our heads, because IT security risk is still insignificant compared to many other corporate risks. Hackers and infosecurity failures don't impact long-term stock prices and cause business failure; rogue traders and lousy products do.
This balanced awareness that we are neither superfluous nor supremely important is a necessary step in our evolution from a practice to a profession. Infosecurity has a unique role within the corporate governance program, but it's a role that can only be fulfilled by risk management professionals.
About the author:
Jay G. Heiser, CISSP, is a London-based security analyst with TruSecure Corp.
This was first published in March 2004