Let’s start with the models themselves.
Even if you aren’t using a formal model, there are a lot of things you probably know today. You likely have at least a working sense of which information assets support critical, revenue-generating business. You can augment this knowledge and may discover some new things by doing a revenue-process map linked into a data flow — a practice we’ve found invaluable in optimizing security efforts.
And you don’t have to wait to complete one of those to sharpen your model. Look at incident history to your critical processes and convert those to event trees to get relatively objective (albeit history-based) probabilities. It’s a defensible start as you gather more intel.
Speaking of probabilities, a mistake I see too often are security teams overly focused on likelihood while normalizing or ignoring impact. Unless your IT shop has done a world-class job optimizing your data footprint, it’s not likely that these two are independent. The business does need to provide their input on impact, and that can be a key input as you do your business process mapping. If you have little impact data today, a half-day workshop with the right business executives at your next off-site can get you and your team a lot of insight on how to weigh impact, or map existing impact scales to assets.
In previous posts we’ve stressed the merits of shifting to more quantitative modeling. It’s easy to hide behind fuzzy data with qualitative models, which makes them a safety blanket when being grilled in front of your board. However, I am witnessing many boards starting to see through that, and pushing for risk reporting at parity with other business units. That parity is often anchored in dollars and cents. I know it’s not easy, but it does simplify the discussion around risk, what it means, how big it is, and how it compares with other risks and risk mitigation costs. Start small, but if you aren’t starting to move in this direction, you will soon be behind.
Finally, stress-test assumptions in your model and root out bias. Run simulations through the models you have built and used to see how they perform under certain circumstances. Specifically look at the impacts of major changes to a few variables. Stress-testing will highlight potential blind spots as well as ways to improve the model.
Get soft data too
I can’t stress this enough: Front line employees’ understanding of security risk should not be underestimated. That doesn’t just mean that they follow the rules, but they tend to have a sense of where weaknesses are. Just as some of the best CEOs walk the floor of their companies to see what is really going on, so should the best CISOs (and their risk teams).
Gather intel on what weak points there are and what keeps them up at night (at least Business Line execs). While you are at it, use the opportunity to see how security can be more helpful or how security is creating perceived barriers that you can remove. These win-win partnerships are invaluable.
I have to admit that I have seen mixed results in having security or risk liaisons in different business groups. I used to be a strong proponent, but have seen that those liaisons drift to the needs of the business line over time i.e. making things easier, not more secure. The real bounty comes from incorporating risk management into the day-to-day jobs of all employees and bubbling it up (see this HBR highlight of Hydro One). Tight integration is fostered via education, tone-at-the-top, and incentives to appropriately owning and managing risk on the front lines.
Greenspan used to check on underwear sales at department stores as a way to see how well economic models were likely to perform, because underwear sales were the first thing to plummet when the economy was weak (clothing you can’t see!). Soft data is a vital way to validate your risk models…to get “out of the box” and into the real world.