Security Experts:

Risky Business: Understand Your Assets and Align Security With the Business

For years I wondered why business groups would move forward with technology initiatives before fully understanding their risk exposure. Focused on the business outcome, teams always wanted to implement first and figure out the risks later. 

Problem is, risks are intrinsic to business outcomes. A solution is only as valuable as the information flowing through it. Compromise the information, bring down the solution, and the business outcome cannot be realized.   

Too often this dawns on the business after implementation, when risk treatment options are limited. Often the only choice is to put a wrapper around the solution, a compensating mitigation with a tendency to make users less happy and the technology less appealing — which also diminishes the desired outcome.

Align security and risk with the business

Once you dive into the trenches with business groups, it’s much easier to understand why this is such a challenge, since you’re representing initiatives that are potentially hugely valuable to the company. But there doesn’t have to be so much friction in the process. 

By working closely with business groups to do a thorough risk analysis, we’re not only doing the due diligence required by regulatory and industry associations — we can also teach business pros how to understand risk and the different avenues for dealing with it. 

Understand your assets

First it’s important to understand the value of the information and the technology in terms of its impact to the business. Business groups need to understand not only what their assets are, but also how the security team classifies those assets in terms of business impact. 

For sensitive information, the military uses four categories: Top Secret, Secret, Confidential, and Unclassified. They describe the consequences of unintended release of Top Secret information with one word: grave. 

WAF by F5 NetworksA similar model within corporations etc. In the corporate world a similar model etc. Most companies use a three-tiered classification of high, medium or low business impact. And in terms of high-impact business data, I would argue that the term grave still applies.  

Whatever system you use, once you’ve classified your assets and determined the level of risk involved, you’re in a better position to decide which risk treatment options and timeframes make sense within the context of the business, its size and its industry.

For some systems, the necessary treatments are already defined by regulatory or industry requirements. To process credit cards, for example, companies must comply with PCI requirements or face higher processing costs or even the suspension of processing altogether. 

But for other systems it’s not so cut and dry, and risk mitigation strategies will lean heavily on the organization’s appetite for risk, as well as its ability to mitigate. There are generally four treatment options, and mature companies typically end up doing all of these: 

Avoidance

For business leaders, the least obvious option is probably just avoiding the risk altogether. But when the security team is proactive and doing risk analysis with the business up front, you’ll be surprised at how many decision-makers end up avoiding the risk by scrapping the initiative. They see that even though it provides a sizable financial benefit, it simply opens the business up to too much exposure. 

Sometimes it’s ok to not implement the technology. Being smart about when to avoid risk is actually great for everyone, because you end up eliminating controls that are difficult to maintain. 

Transfer

The same thing could be said about risk transfer. Risk transfer can involve non-technology solutions, such as buying an insurance policy to help compensate the business in the event of an exploit or other compromise to the system. It can also involve contracts that literally transfer the risk to another party. 

Technology-based risk transfer options include moving to a cloud provider with the resources to centralize security controls and attain certifications most companies can’t afford. There’s also the option to outsource controls like a WAF, instead of trying to build them on your own. For some companies, this type of risk transfer may become a primary mitigation strategy. 

Acceptance

And then there’s risk acceptance, which may actually be the most important tool that exists for security. This is when you go to an officer of the company, educate her on the risk in question, and ask her to accept it and document the acceptance. 

Here the documentation is critical. The CISO and the business owner are mutually agreeing on the acceptance of a risk and the company’s plan for dealing with it. This then becomes the codification in the organization of the risk being accepted and how that risk will be managed. 

And again, you’d be shocked at how many people decide to go from risk acceptance to risk avoidance. 

Mitigation

Of course, there will always be mitigation, and that’s really about controls. If you’re doing things right and the security team is brought in at the beginning, you minimize the need to perform compensating controls later. This results in a much stronger system. 

But mitigation isn’t the only game in town, and business owners don’t always understand these additional options — because they’re not being taught. The solution is to work with them to understand the value of the assets and what the risk treatment options are, then build a risk treatment plan that truly reflects your priorities, risk tolerance and resources. 

Working closely with business groups throughout the process of due diligence and due care not only fulfills the CISO’s responsibilities, it also creates more security-savvy business groups who understand how to use their risk treatment toolkit more strategically. 

view counter
Preston Hogue is Sr. Director of Security Marketing at F5 Networks and serves as a worldwide security evangelist for the company. Previously, he was a Security Product Manager at F5, specializing in network security Governance, Risk, and Compliance (GRC). He joined F5 in 2010 as a Security Architect and was responsible for designing F5’s current Information Security Management System. Preston has a proven track record building out Information Security Management Systems with Security Service Oriented Architectures (SSOA), enabling enhanced integration, automation, and simplified management. Before joining F5, he was Director of information Security at social media provider Demand Media where he built out the information security team. Preston’s career began 18 years ago when he served as a security analyst performing operational security (OPSEC) audits for the U.S. Air Force. He currently holds CISSP, CISA, CISM, and CRISC security and professional certifications.