Cyber insecurity: Managing against the risk

Risk management has been part of IT security from Day One, but has often taken a backseat to aggressive zero-tolerance policies that sought to raise impenetrable barriers to security threats. Now we know better.

An explosion in the volume and sophistication of malware in the past few years has overwhelmed barrier technologies such as firewalls and intrusion-detection systems, and the bogglingly fast spread of powerful mobile devices such as tablet PCs and smart phones has provided the black hats with a wealth of different ways to break into networks.

“Three decades ago, a mainframe would have been a big investment for an organization, but IT has become a commodity today and we use those technologies very aggressively,” said Ron Ross, a fellow at the National Institute of Standards and Technology and the leader of NIST’s Federal Information Security Management Act (FISMA) Implementation Project. “The trend now is also to connect everything to everything. Couple that with the exponential growth in malware, and that’s why people are so concerned.”

Related items:

A risk management reading list

Risk management: A view from inside

In contrast to the castle-and-moat approach to security, risk management sets acceptable levels of risk for an organization, and then controls and seeks to mitigate those risks. That way — or so the theory goes — the most mission-critical systems can be protected and the organization will still be able to function even if cyberattacks succeed in penetrating periphery defenses.

Theory is one thing and implementation another, however. Although the concept of risk management is now well understood in agency IT and security departments, it is not yet a widely practiced discipline. Agencies such as the National Security Agency and the State, Commerce and Defense departments are acknowledged leaders in risk management, but overall, the government is behind the curve.

A recent Ponemon Institute study of risk-based security management in the United States, which included input from government organizations, noted that more than three-quarters of respondents had a significant commitment to RBSM, but less than half actually have a program in place. A third of respondents have no RBSM strategy.

“Lots of organizations want to do RBSM, and they realize the importance of it,” said Larry Ponemon, the institute’s chairman. “But there’s either resistance internally from people who are reluctant to move out of their comfort zones, or they just don’t have the right resources to make it happen systematically. What you often end up with is a kind of a hodgepodge approach to it.”

Chris Kennedy, principal security architect and senior program manager at Northrop Grumman Information Systems’ Civil Systems Division, said he believes most federal agencies understand what risk management is, but “it’s just one of those things that’s really tough to operationalize.”

“The challenge is that IT has been traditionally managed in agencies as a mission enabler, and there hasn’t been the level of cross-pollination between the mission owner and IT system operators to manage risk appropriately,” he said. “Someone needs to work the priority of the mission to establish the appropriate risk management framework around the systems.”

The first step in developing a risk management program is to get everyone to agree on what the risks are, which is more complicated than it sounds. In the older approach to security, the risks were associated with the network and attached systems, and identifying them was the responsibility of the IT department. With enterprise risk management, many communities own the business processes that are at risk, and with the rise of cloud computing, they will increasingly have responsibility for the IT services that are delivered. However, each of them might have very different ideas of what the risks are and how to define them.

“If you want to develop a cohesive risk management strategy, you have to develop a centralized risk register that everyone can refer to, and that means also having a common nomenclature for risk,” said Torsten George, vice president of worldwide marketing and products at Agiliance, a company that provides risk management solutions. “If you try to do that later, then the accuracy of the data that comes back to you will vary, and the trend data that helps you predict your security needs going forward will be impacted.”

NIST’s Ross described this as a need for a second front in government to integrate cybersecurity and risk management processes into the mainstream.

“I do think the understanding for all of this is there, but the systemic problems are also there and need attending to,” he said.

Likewise, it is vital early on to create a governance process for making decisions about which risks will be targeted and what steps will be taken to mitigate them. That process will need to cover the entire enterprise.

Once it has been decided that there is a risk in a particular organizational unit with an operational mission responsibility, the governance process will require the professional who can assess that risk to characterize it and describe it to the operational manager, said Lee Holcomb, vice president of strategic initiatives and cyber operations at Lockheed Martin Information Systems and Global Solutions.

“That manager needs to be able to say he will invest the money to fix that risk and put in a process to mitigate it, or that he will flat out accept the risk and not invest in mitigation,” said Holcomb, whose federal career includes serving as CIO at NASA and chief technology officer at the Department of Homeland Security. “That discussion is a central one that absolutely needs to take place.”

He added that one of the current challenges in the cybersecurity area — and it relates directly to the assessment of risk — is the need for people to be able to say what an additional dollar of investment buys in terms of security. “There are probably a significant number of agencies that don’t have a rich discussion of that through a governance process,” he said.

Leadership commitment is also essential for implementing an effective risk management program, said Henry Sienkiewicz, vice chief information assurance executive at the Defense Information Systems Agency. Furthermore, the governance process is vital to ensure ongoing collaboration and synchronization of the efforts of the multiple groups and teams that will be involved.

Sienkiewicz said key areas include “identifying roles and responsibilities across the organization, methods for de-confliction of issues, means of communication with stakeholders, sharing of information and ensuring leadership acceptance of risks.”

Assessing the risks that must be managed is typically more of an art than a science that requires hard numbers. NIST recently published the final version of its risk assessment guidelines, Special Publication 800-30, which covers what it sees as the four elements of a classic risk assessment: threats, vulnerabilities, impact to missions and business operations, and the likelihood of a threat exploiting vulnerabilities in information systems and their physical environment to cause harm.

The document provides a common lexicon regarding risk factors that influence the method of assessing and ultimately managing risks, Sienkiewicz said. But he added that the methods for assessing risk are more descriptive than prescriptive and leave it to the organization to determine the most suitable approach for itself, taking into account factors such as system use and mission requirements.

Agencies will have to make it up on their own to some extent and choose standards for risk assessments that they will be able to carry forward, said Tim Erlin, director of IT security and risk strategy at nCircle, a company that specializes in risk and security performance management.

“There also isn’t a consistent methodology for assessing multidimensional risks or the combination of risk and environment that might be dependent on each other,” he said. “While the NIST guidance is very comprehensive, it doesn’t seem to provide a lot of guidance on how to chain these things together.”

One constant in any government program, of course, is cost. Given the budget constraints agencies face today and will have to operate under for the foreseeable future, any sizable new investment will be closely scrutinized. Risk management will involve some upfront costs in terms of process and tools, such as new automation technologies, but it could result in savings down the road.

In researching the costs of risk management, the Ponemon Institute has come up with a range that covers short-term costs such as extra people and new technology, indirect costs, and what it calls opportunity costs, the potential for damage to agency missions through data loss and a consequent drop in user trust if security is not done right, for example.

“The reality is that the short-term costs probably do go up pretty substantially if you do it right,” Ponemon said. “But over time, we would expect to see a reduction, especially in indirect and opportunity costs.”