mailing list archives
Is Your Security Program Effective? 7 Must-Ask Questions
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 8 Jan 2014 11:22:27 -0700
Business leaders can, and should, insist on metrics to prove protection
efforts are worth the money.
As we put the final touches on 2014 budgets, many security leaders are
asking for more money now to keep “bad things” from happening later. CEOs
and CISOs have done this dance for years. But today I see many business
leaders asking, “What do we have to show for all of these information
security investments? How do I know we’re spending the right amount? How do
I know our security program actually works?”
This last question is especially tricky. You’ve either had a security
breach or you haven’t. If you have had a major incident, were you
unprepared or just unlucky to be targeted by a high-powered attacker? If
you’ve not had a major breach, is that because of a good security strategy?
Or did you just get lucky? Can you even know for sure?
The correct answer to these questions is: “Risk reduction as borne out by
our risk management program.” I’ll explain what that looks like in a
moment. But first, here are seven questions business leaders should ask
their CISOs, and the answers that should worry them.
1. “How do I know our risk management program works?”
(Red-flag answers: “I don’t know,” or “We use X and X is a best-practice.”)
2. Do we have a defined risk management methodology?
(Red-flag answer: “No.”)
3. Where did our methodology come from? Which interdisciplinary techniques
do we use?
(Red-flag answers: “We invented our own,” or “I don’t know.”)
4. How do we measure probability, frequency, and business impact? Do we use
ranges of numbers?
(If the answer is “no,” you might be in possession of a red flag.)
5. Does our risk management methodology require detailed, calibrated
estimates? Is the CSO/CISO calibrated?
(If the answer to either question is “no,” well, you know what color flag
6. Can the CSO/CISO explain the “base rate fallacy”?
(The answer should be “yes.”)
7. Do we measure probability, frequency, and impact with a scale, like
“high,” “medium,” and “low”? Do we use risk matrices or heat maps to
(If the answer to both questions is “yes,” that’s a red flag. Gotcha!)
If you’ve asked these questions, chances are you’ve also gotten a lot of
wrong answers. You’re not alone. Most companies use what I call a
“qualitative” approach that, by definition, focuses on qualities,
attributes, or characteristics of things. Examples include marking off
checklists of compliance requirements, benchmarking the company with peers,
and so forth. While easy to do, qualitative approaches by themselves don’t
answer the important questions. Just because my peers are doing X, why does
that make X the right approach for us?
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
- Is Your Security Program Effective? 7 Must-Ask Questions Audrey McNeil (Jan 08)