Information Security as a Business EnablerPosted 12-04-2012
Information Security as a Business Enabler
By Steve Durbin
One of the primary aims of information security is to prevent incidents. However, it is nearly impossible for organizations to completely avoid serious incidents, and while many are good at incident management, fewer organizations have a mature, structured approach for analyzing what went wrong. As a result, they're incurring unnecessary costs and accepting inappropriate risks.
Despite our best efforts, not all incidents can be prevented. Today, businesses need mature incident management capabilities. Without a proper impact assessment, businesses don't know the incremental, long-term or intangible costs of an incident. But those costs still affect the organization’s bottom line. Because it's crucial to manage incidents well, many organizations understandably focus on incident or crisis management and returning to business as usual. Post-incident review is often neglected, viewed as a costly burden and considered a distraction.
This is a mistake!
Incident management alone is ineffective. It must be selectively accompanied by post-incident review. A complete incident management process can continuously improve information security, decrease the likelihood of future incidents, increase resilience and reduce impact.
A View From the Top
C-level executives across the board are now tasked with managing security risks. Unfortunately, most IT business decision-makers are not dealing with daily catastrophes but with creating a stable environment to reduce risk and its associated costs. While a security breach can get immediate attention from the board of directors, the infrastructure and systems needed to recover from and prevent another devastating hit are not exactly boardroom fare. That's for the trenches, right? Wrong!
Organizations have limited resources that are prioritized to areas of greatest need or return. Without knowing the cost of potential incidents, organizations will misdirect resources, fix symptoms instead of causes and not spend money where it's needed to mitigate a major incident in waiting. Also, most organizations have a limited appetite for investigating incidents due to the understandable desire to return to business as usual. However, this means they miss valuable learning opportunities.
A thorough understanding of what happened and why is necessary to properly understand and respond to underlying risks; this is needed by all members of the organization’s board of directors. Without it, risk analyses and resulting decisions may be flawed, leading organizations to assume greater risk than they intended.
Threats and Risks
Broadly speaking, a security incident occurs for one of two reasons. Either it's a risk that the organization previously decided to accept or it's due to gaps or deficiencies in the organization’s response.
Being universal, threats are the genesis of all incidents. They include targeted attacks by malicious insiders and external parties, service and system interruptions, human error, and natural disasters. While it is not economical or possible to prevent all incidents, businesses can decrease the likelihood and impact of risks by possessing a solid understanding of current and future threats.
While threats are universal, the risk they pose is specific and contextual depending on the existing vulnerabilities. A threat can present a different level of risk to an organization depending on the vulnerabilities that result from a multitude of factors, such as the organization's industry, geography, capabilities and controls. Evaluating threats and assessing risks should be a standard element of every organization's risk management processes.
Risks can be accepted, mitigated, transferred or avoided. Not all threats can be identified, not all risks can be mitigated and some risks are accepted; therefore, organizations need to have a defined and well-exercised incident management process.
Information Security as a Business Enabler
To manage risk effectively, organizations, boards of directors, business units and information security teams all need to balance risk and reward. Impact assessment is a crucial component of assessing risk.
Incomplete or inaccurate impact assessment undermines the organization’s ability to understand the risk it faces. Without understanding potential impact, organizations are likely to accept unnecessary risk or waste money on unnecessary mitigation. A clear view of impacts can be used to set the priorities and the sequence for risk mitigation activity, such as controls, staffing levels and awareness programs.
Not all organizations are aware of the value that can be derived from impact assessment, or aware that it can be used as a positive tool rather than simply an assessment of failure. In addition, impact assessments can be complex and time intensive, putting pressure on staff that some think would be better used for day-to-day operations.
The Root of the Problem
A root cause analysis needs to be performed to determine the cause of the incident. The output from the analysis can be used to identify recommendations. Investigation must consist of a detailed analysis, and be performed in depth to confirm that a complete and reliable picture emerges. That is, the findings must be root causes and not symptoms, a distinction that should be evident to the investigator.
While a root cause analysis provides value, the cost of performing one can’t be justified for every incident. Organizations should use a consistent triage process to determine whether an incident merits a root cause analysis. Forming the right team for the root cause analysis is a critical step. The quality of output from root cause analysis techniques is dependent on the investigators’ knowledge and skills. Only by ensuring that the correct combination of expertise is available will it be possible to establish the true root cause.
Organizations need to effectively communicate the findings to relevant stakeholders so they can be validated and acted upon. The findings should be presented in a format that is relevant to your organization. And the report should include the findings of the root cause analysis along with an overview of the incident.
Organizations should also be constantly looking for ways to respond to developments and improve risk management by learning from previous incidents. Post-incident review can help organizations accomplish this more effectively with information about all of the information risk processes previously described, thus helping organizations get to the cause of incidents and providing valuable information about gaps and deficiencies in their processes.
The post-incident review’s value is clear. The output from the post-incident review can improve the information risk assessment process by providing comprehensive data to inform future decisions. Post-incident review produces information about threats, risks and impacts that is accurate, current and linked directly to the incident, the organization and its operations. Organizations that do not perform post-incident review are most likely incurring unnecessary costs and accepting inappropriate risks.
Risk management is incomplete without impact assessment, root cause analysis and post-incident review. Without a proper understanding of what happened, why it happened and its impact, organizations can't fully understand or manage the risk. These key steps enable organizations to improve their processes and prevent recurrence of incidents. As a result, a security incident can be transformed from a potential or actual disaster into an opportunity, the benefits of which will emerge over the long term.
About the Author
Steve Durbin is Global Vice President of the Information Security Forum, an independent, not-for-profit association of leading organizations from around the world.