Risk Management: Do It Now, Do It Right

... AND TECH DECISIONS, TOO
Technology certainly plays a central role in IT security, but unfortunately as a community we've gotten a bit lost in the process.

"There is an awful lot of lazy thinking in IT security. We even have a whole doctrine to prove it: 'Throw more tech at it,'" says Craig Balding, a technical security team lead at a global Fortune 500 company. "We need to get a lot more imaginative and apply critical thinking to problem solving rather than a product or product group mentality to everything."

Looking back, it's hard to believe our heads weren't in the sand on many levels when it came to technology selection. As a brief recap, during the early days of mainframes we placed a great amount of faith in user names and passwords as adequate access control mechanisms. Strangely enough, we made the same assumptions when IPX and IP-based networks and client-server computing took hold.

We all learned a few hard lessons--including that user names and passwords wouldn't deliver us from all evil. This led to adoption of firewalls as the new access control savior. Once again we put our faith in a technology, and once again we were let down. We then spent some time in denial about operating system vulnerabilities. Enterprise IT teams and vendors alike ignored the obvious until worms, spyware, and stock OS exploitation made the issue unavoidable. Huge investments in vulnerability scanning and patch management ensued.

The journey continues. We invested hundreds of millions of dollars in intrusion-detection systems without a solid understanding of their relative effectiveness and total cost of ownership. The IDS craze led to reinvestments in intrusion-prevention systems that even today are only partially enabled, and PKI is still a bad word in many IT circles. There's no shortage of disappointments on other product fronts. Host-based IPS rollouts were painful. Everyone seems frustrated with the lack of antivirus innovation. Security event information managers are evolving but expensive, and IPS products and "endpoint security solutions" rarely live up to the hype.

Our favorite comment from infosec pros we talked to for this article? "Our vulnerability management system worked great for six months, then it flushed itself down the crapper."

Should we pack it in and declare that all security technology stinks? No, and as a community we have learned from our failures: User names and passwords are still used, but only the foolish rely on them as a sole control mechanism. Patching/updating processes are now built into all operating systems, and even ignoring the network access control hype, stock networking devices are growing more security-capable. And security in the commercial software quality-assurance process has improved, if only within a select few vendors.

Moving forward, we must continue to learn from our mistakes and adopt innovative strategies. For starters, keep an eye on the consolidation of product sets. As security functionality becomes a differentiation point for mainstream IT products, the question "Is this a product, or is it a feature?" should be consistently raised. Take full disk encryption, or FDE. With a dizzying number of data disclosures resulting from lost or stolen laptops, it's no wonder FDE efforts have been in full swing. While most organizations have invested in standalone FDE suites, options are starting to appear in mainstream IT products. Two examples: A number of Lenovo ThinkPad models now ship with an option that embeds FDE using the crypto-enabled Seagate Momentus hard drives, and an FDE option known as BitLocker is available in select versions of Windows Vista. Given this consolidation, smart organizations will press their suppliers for insight into what they have planned in terms of baking security functionality into infrastructure devices and end-user systems.

Evolution Of The CISO

As companies move toward strong risk management, the chief information security officer's authority and oversight role increase and hands-on tech responsibility shrinks

LOOK AHEAD
Technology and products will always play a role in security, but most efforts will benefit from a more balanced approach. Should the NAC craze take priority over the less-sexy task of making sure all backup media are encrypted? Will efforts to deploy network behavior anomaly detection be more fruitful in reducing the organization's risk profile than, say, ensuring that user provisioning and deprovisioning processes are rock solid? Might formulating a mobile device protection strategy be a better use of your time than chasing down the source of IDS- and IPS-generated events?

There's nothing inherently wrong with any of these technologies, but if you're not asking these questions you're likely to fall into the traps that have snared IT thus far. Looking ahead, all organizations must adopt more formal risk management processes. In fact, the role of a chief risk officer, or CRO, is already taking shape in more risk-aware organizations.

Other open questions: Which parts of information security might move under a CRO, and which parts will stay in IT? Are disaster recovery/business continuity and information security more closely related than we've previously treated them? We've started to see movement on these fronts, but the jury is still out on what will take hold, and when.

One thing is for sure: IT professionals will either evolve to become better risk managers, or someone else will step in and do it for us.

Greg Shipley is CTO of Neohapsis, an IT security and information risk management firm, and an InformationWeek contributor. Contact him at [email protected].

Albert Einstein photo: US Library of Congress, photo illustration by Viktor Koen

Continue to the sidebar:
CISOs Challenge The Conventional