Design Risk Management Plans to Fail: Bank Security Expert

Operational Risk Assessments: Not Glamorous, But Indispensable

PUNTA CANA – KASPERSKY LAB SECURITY ANALYST SUMMIT – It may not be the most glamorous security role, but when it comes to operational risk assessment, someone has got to do it.

In a room filled with some of information security’s rock stars, and at a conference where speakers describe exotic attacks and demonstrate sophisticated proofs of concept, the theme of operational risk assessment and management feels out of place. But Steve Adegbite, senior vice-president in charge of enterprise information security program oversight and strategy at Wells Fargo, makes a case for the importance of risk assessment in organizations, especially online banking.

A key part of risk assessment depends on the organization knowing what types of information it holds, understanding how and why it is being used, identifying who would consider it valuable, and determining the threats to the integrity of the data. But that is just the beginning. Adegbite said companies need to understand that zero-day vulnerabilities are inevitable in software development as we don’t live in a world of perfect code. This means security defenses, no matter how robust and thorough, will eventually fail.

As a result, a risk model is a key component of any security practice, Adegbite said.

Banks are increasingly adopting a risk mentality more commonly associated with Wall Street traders, Adebite said. When it comes to risk, it’s all about cost—mainly how much money the organization is willing to lose before it becomes too expensive, as that is the point when security investment makes sense.

The Target breach had a financial impact, but it wasn’t catastrophic because shoppers went back to Target.

It’s important to accept at this point, however, that there is no such thing as the perfect risk model. No matter how thorough the planning is, there is no way to control one factor of any business operation: humans.

“Your risk model is never going to always work,” said Adegbite.

Risk assessments also can’t be static. Once the organization has assessed risk, the model has to be continuously tweaked and refined. Attack techniques have evolved rapidly, and the type of defenses are also changing. This is why organizations can’t just say, “this is just the way we do things,” because nothing is static. Why should the risks be treated any differently?

Risk management plans need to be designed to fail, Adegbite said. If organizations plan for failure, they can respond better when something goes wrong, thus limiting damage. A better response means less impact on the bottom line, less data impact, and less tarnishing of the company’s reputation. And when the plan fails, organizations need to examine why it failed and make a better plan for next time.

Risk assessments aren’t something new. Humans have been making risk assessments for thousands of years, starting with how to escape hungry bears and whether to plant a certain crop. The ability to assess a situation and determine “what if” scenarios before making a decision is something that has kept humans alive and will also help corporations protect sensitive data, Adegbite said.