Published: 04 Jan 2008
| Information Security celebrates its 10th anniversary with a new theory on risk management for the next decade.
It was a blast putting this issue together because it gave all of us a chance to reconnect, or connect for the first time in some instances, with the pillars of this industry. We're fortunate to have access to these people that many in our readership don't enjoy, and it's our job to foster those relationships and share their insight, advice and leadership with you.
So in homage to that spirit, I bring you a new direction and some food for thought as we begin the next 10 years of our existence.
At our Information Security Decisions conference in November, one of our Security 7 award winners, Tim McKnight, suggested we might change the name of the show to Information Risk Decisions because managing and prioritizing spending and security programs based on risk is essentially the only way that makes sense.
Well, luminary Donn Parker, one of the first to research cybercrime, begs to differ. I interviewed Donn for this issue (download the complete interview at searchsecurity.com/10thanniversary) and he's not buying the current groundswell of interest in risk management. He said so in an ISSA Journal article last year, and reiterated it to me a few weeks ago.
"Reducing risk is a very weak objective for information security, because it is not measurable," Parker says. "How can you have risk management--which is an oxymoron--work, if you cannot measure the risk in any valid way? I think it's important to recognize that nobody has ever publicly done a study showing the validity of risk assessment and risk management."
Parker says he's getting support on his theory because CISOs are starting to discover that risk management is a failed methodology. Rather than selling risk to upper management for project approval and spending, he suggests CISOs have other critical objectives for security than merely risk reduction, namely: compliance, diligence and enablement.
| Compliance is a straightforward exercise, Parker says. Fines and the threat of imprisonment make compliance a no-brainer objective for security and management.
Diligence, or benchmarking your organization against that of a successful security operation, is a powerful tool to wield with management in order to motivate them to take action. These benchmark tests, Parker says, can be done in confidence with a peer CISO in order to establish a baseline of security success against which your organization is com- pared. "If you want to make sure you are doing as least as well as your competitors are doing in security, here is a list of things you must improve," Parker says.
Finally, enablement happens when security is the competitive differentiator between two services.
Parker believes CISOs would open a wider pipe-line to the top by basing their programs on these three objectives.
"I think that it is difficult to use risk reduction in selling security to top management, because top management is used to dealing with business risks every day," Parker says. "They look at risk assessments provided by CISOs and say 'OK, we've got risks, but we've got risk every day. We'll just let that risk lie there. We have more serious business risks to deal with.'"
Is that happening in your organization? Do you think it is time to reconsider risk? Donn Parker says so, and that's a pretty big endorsement. I wonder if when it comes time for Information Security's 20th anniversary issue whether we'll look back at his thinking as an inflection point for the coming decade.