IT decision makers have a very difficult job. They are often asked to make technology decisions on subjects for which they may only have cursory knowledge. Then when things go wrong, they are responsible for dealing with the fallout of those decisions.
It’s one thing to make a mistake when deciding on something relatively trivial, like picking out what kind of PC to buy. You can easily address shortcomings for a disappointing solution. A PC that isn’t powerful enough can get more RAM or can be upgraded to a bigger hard drive. However, when it comes to making decisions about security/risk, the stakes are much higher.
A failed security solution that leads to a data breach can’t be fixed simply by buying a part or repurposing hardware assets. Unfortunately, these design failures can only be repaired after damage has already been done.
When you find out that your firewall was insufficient and a hacker penetrated your network, you can’t reverse the clock and make up for an uninformed decision that may have been made years ago. Your only option at that point is to control the amount of damage in place.
It’s just like buying a cheap washing machine. If the washing machine can’t handle the clothes you put in it and leaks water, you have to deal with the damage caused and probably repair the machine itself. From someone who has had to deal with water damage, I can tell you that I much prefer having a robust solution up front so that I never have to worry about the problem affecting my life.
This leads to the main issue I’d like to confront in this blog: how you, as a decision maker, can know up front if your security and risk management strategy is getting the job done.
I have some good news and some bad news. The bad news is that there is no 100% positive security and risk management approach. Any solution can fail. Even when building a system with security in mind from the beginning, sometimes these solutions fail when you need them most. Even an experienced, well-educated, trusted advisor can guide you down a path that they think will protect you, and a data breach can still happen.
The problem with security threats is that they are constantly evolving. Nobody holds the crystal ball to tell you what threat you may have to deal with tomorrow, much less threats that may develop months or years from the time you build your system.
The good news, however, is that there is a tried and true way to gain a real sense of how well your current security controls are working: a risk assessment.
In addition to providing you with insight into the effectiveness of your security measures, a robust risk assessment gives you the opportunity to evolve your IT security and risk management strategy. This allows you to stay on point when it comes to knowing what threats are out there and how you need to deal with them.
Four main features must be present in a solid risk assessment:
Uses thorough vulnerability and configuration scanning tools to look for weaknesses within your system.
Identifies various areas of risk based on the sensitivity of data, best IT practices, and the configuration of the current system.
Performs vulnerability scans on the perimeter that expose specific weaknesses from the outside.
Looks at workflows and behaviors of staff to ensure they are operating in a method that is consistent with the technical security measures.
In short, a well-designed risk assessment uses metrics, best configuration practices, other compliance standards, and to some extent user behaviors to determine what data assets are worth protecting and what shields those data assets from damage or loss.
From there, you can determine if your security and risk management strategy is effective, even if it’s not perfect (which it can never be).
My philosophy is that security and compliance should be treated as a discipline rather than just another technology solution you need to buy. Deploying proper tools to manage risk and then regularly evaluating how well those tools are working is the only reasonable approach to keeping up with a world of constantly evolving threats.