Risk Management isn’t Just an Obligation, or Something other Execs Want to See…When Done Right, It really works.
Risk management is easy enough to say, but pretty tricky to get right in practice. Some organizations are asked to do it by concerned board members looking for reassurance in an increasingly scary online world. Other organizations are forced to do it – notably Federal agencies responsible to build Continuous Monitoring programs according to the Risk Management Framework laid out by NIST. Others do it because they see it as the right thing to do – in a world where the security budget is never more than a few percent of what it would take to build out everything we could do, there’s an ever-present need to spend the few chips we get as wisely as we can, and Risk Management is as good a name as any for “I can’t do it all, so what is most important?”.
There is a trap, though, if we just treat Risk Management as a nice label for “doing more with less”. We miss a significant opportunity for career advancement. Think of it like this: if the CFO cuts your budget, and you come back a while later with a status report of “good news, I took the cuts, survived, and am still getting lots of good work done” – something that might seem upbeat, even praiseworthy at the time – what message does it send to the CFO? That there was overspending before and you have now either made the right level, or there’s some fat left to trim. And how do you think the CFO will go about answering that question?
No, cheerful survival, “doing more with less”, and claiming you must be delivering good security because you’ve not been on the front page of The Wall Street Journal on your watch isn’t going to work. What will? We’ve played the Fear, Uncertainty and Doubt card so often that the picture is wearing off the card. (Some say it’s coming back as a viable approach, now that so many breaches are being publicized, but that’s going to vary by organization – how often have you and your predecessors cried wolf?) What else is there?
Risk Management, done right, can be the path out of this quandary. It shows you’re being proactive. Done right, it shows that you neither deliver security (a sure way to get fired after the next breach), but nor do you just spend money for nothing – you manage risk. Executives understand managing – what it is, and what it is not. So you need to show what it is you’re managing, so you can show both why your funding level buys something, but also why it doesn’t buy the luxury of forgetting about security – not at current funding levels, anyway.
And if you really get this right, you won’t just be “managing up”, you’ll be “managing out” – it’s possible to have real impact on the wider organization, in the ever-intractable problem of getting busy ops teams to clean up their messy, lax security afterthoughts.
What evidence is there that this works? For that, I’d like to point to a largely unsung hero of Risk Management – John Streufert, the Director of Federal Network Resilience at the Department of Homeland Security. I find his work is reasonably well-known in Federal circles, but not nearly well enough outside the Beltway. (For full disclosure, I’ve not sold any products to Mr. Streufert – this isn’t a stealth advertorial for my own approach to Risk Management. I just think Mr. Streufert’s approach and public results are worth attention, since they illustrate many of the important lessons in how to get ahead through Risk Management.)
His first work on Continuous Monitoring and Risk Management was while he was CISO at the US Department of State, working on a project known as iPost. This was ground-breaking in its day – 2008 – and is still a level of automation of security assessment that a good number of agencies have yet to achieve or exceed. Is iPost the end game? No, I’d have to say it isn’t, but it’s a source of great lessons. First, and above all, it’s an automated dashboard system – it delivers on the old adage that “sunlight is the best disinfectant”. It measures a wide variety of metrics about host compliance – AV signature status, patch levels, etc. – across a huge infrastructure, including US embassies worldwide. And it cranks through them to generate scores. Does it do everything? No, it won’t make coffee. It doesn’t actually implement changes – it’s a dashboard. But in my experience, it’s the single most effective publicly documented dashboard project I’ve seen.
Why does it work so well? In a word, psychology. Mr. Streufert and his team worked very hard on this aspect – arguably, almost to the expense of technical purity, but I’m not sure that was a bad trade when trying to get a project like this into the air. One extreme pressure at the Department of State is the autonomy of the embassies – essentially, every ambassador is a “local CEO”, and they can run IT and IT security as they see fit. This means central security teams have a major struggle to get anything done – every team I know has this pressure, but I do think it’s worse at State. But this just forced some creative thinking, and I’d recommend every CISO should steal some of these ideas. The central team worked with all the teams who were going to be measured, and made major revisions to the measurements used in pursuit of “fairness”. This is key – if you measure teams in a way they don’t respect, they can resist or ignore all your hard work. The psychology aspect is, in my view, the best part of iPost – the success in getting diverse teams to agree the yardstick was “fair”. (Note well, “fair” is not the same as “technically pure”! What a measured organization cares about is control – can they expect the measurement to respond when they do good work? If it’s beyond their control, there’s no reason they should play along.)
This fairness aspect went so far that the dashboard eventually produced letter grades – “A” for this embassy, “F” for that one! Imagine the competitive aspects of that, once everyone agreed on the fairness of the measures. (Equally, imagine the abject failure of the project if you tried to dictate the grading first, before everyone had agreed on the fairness point!)
And what was the result? You can guess – competition worked, embassies worked hard to improve their grade, and overall, risk scores dropped rapidly. And all of this while the automation of the system reduced compliance and assessment costs – now that’s doing more with less!
I can’t say that iPost is a perfect system. The measures achieved the holy grail of fairness, but were technically pretty limited. (The focus was so squarely on endpoint measurements that they ended up with a metric that would produce the same risk scores if you turned off every firewall across the Department! At least to this network security wonk, that’s overdoing the endpoint focus a tad.) I’ve seen claims made of a “90% risk reduction” too – I do believe the system drove real action that made networks safer, but that claim seems to be overdone, including phases where the technique for scoring was still under development (a perennial problem in all trending exercises, often called “baselining”). Still, I don’t mean to be churlish – you could say this is a bit like criticizing the Wright Brothers for their poor in-flight services. The point, of course, was to do it at all, and iPost achieved that, overcoming a great deal of skepticism that Continuous Monitoring was even practical or beneficial at Federal scale. It most certainly is, and the guy driving it has since moved on to bigger things at DHS. If you’re paying attention to such areas, you may have noticed the recent $6 billion cybersecurity grant, discussed here and here. And who’s that photographed in the Federal Times article? John Streufert, moving on to bigger, better, and substantially more expensive things – I look forward to tracking the Continuous Diagnostic and Mitigation Program!
Add it up, and Risk Management isn’t just an obligation, or something other execs want to see, or the flavor of the month (although it’s arguably all those things). It can be a real career builder, if you do it right. Figure out what you need to measure, automate the measurement, work with constituencies to build buy-in, and go loud with your success. It really works.
