UXC Saltbush's Bernie Ryan argues that an ICT security risk assessment is a wasted investment if you’re just ‘ticking the compliance box’. True business value comes from going the next step and asking the really important questions.
Like most ICT security specialists involved in risk assessment, I imagine I’m often seen as Chicken Little, the newly-hatched chick who felt a raindrop but (rightly) failed to convince the rest of the farmyard that the sky was falling.
However I empathise with Cassandra, the princess of Greek mythology who was given the gift of true prophecy by Apollo in order to seduce her but, when she declined his advances, gave her the curse of predicting disaster but never being believed.
Recent examples of risk denial
November 2013: Malware was installed in Target’s security and payments system to steal every credit card used at its 1,797 US stores. When its US$1.6 million malware detection tool monitored 24/7 by a team of Bangalore security specialists rang the siren, Target’s Minneapolis security HQ failed to respond as 70 million addresses, phone numbers and other personal information gushed from its mainframes. Target was PCI-certified, compliance box was ticked, and yet its systems were still compromised. Over 90 lawsuits have been filed by customers and banks for negligence and compensatory damages – on top of other costs, which analysts estimate could run into billions.
December 2014: In 2006, an auditor told Sony Pictures Entertainment executive director of info security Jason Spralto that employees were using terrible passwords. But, as he bragged in a 2007 CIO Magazine interview, he’d convinced the auditor it wasn’t a big deal – also asserting it was a “valid business decision to accept the risk” of a security breach, and he wouldn’t invest $10 million to avoid a possible $1 million loss. As it happens, Sony have come out this month and admitted that their recent hack has cost $15 million in the third fiscal quarter of this year.
Apparently, Sony didn’t learn from theft of PlayStation user data in 2011 despite deep apologetic bows from its Japanese CEO and other executives… as Sony Pictures has now reportedly lost 100+ terabytes of data without its security measures detecting the breach – including a conveniently named ‘Password’ folder of 139 Word docs, Excel spreadsheets, zip files and PDFs. Tabloids are gorging on the personal details (including salaries) of 47,000 employees and actors plus some embarrassingly ‘frank’ emails. An internal company-wide memo from the CEO and co-chairman called it a “brazen attack on our company, our employees and our business partners”, which is surely a great comfort!
This is because many organisations – both government and commercial – see conducting an ICT security risk assessment as a ‘tick the box’ exercise in satisfying their data security compliance requirements.
Conducting a risk assessment can result in justifying any number of positive resolutions – purchasing a security monitoring tool, beefing up user passwords or device connectivity processes – or simply settling an internal IT battle over allocation of resources.
But when we’re engaged to review security a year or two after a previous risk assessment, we too often find that little of value has changed in the interim. The ‘accepted’ recommendations from the last review have been filed in the too-hard or bottomless to-do basket, leaving only the temporary relief of having gone through the motions and ‘ticked the compliance box’.
We see three typical outcomes from ICT security risk assessments:
- The organisation ticks the compliance box, but makes no further investigation of its comprehensive security landscape. In this case, it’s paying mere lip service and could have saved its money.
- The organisation develops a risk management plan, signs it off and that’s that; nothing is actually done to remediate identified vulnerabilities.
- Less often, the organisation will take the next steps: refine its security framework in the light of the assessment’s findings; test the environment to validate the assertions made; and then ask the really important questions...
My ideal engagement, and happily we do get them, is when a client captures maximum value, as in the third outcome above. A particular case in mind is a client that had us conduct a comprehensive risk assessment of its core network. From that we refined its security framework to meet its compliance and governance requirements and performed penetration testing to confirm the veracity of the assessments we had made about security shortcomings.
The client knew it had problems; it had high user demands, too many ICT projects and, as a result, was keenly aware that security hadn’t always been ‘front and centre’. We found it was running systems and services that it didn’t even know it had or that weren’t patched – several representing vulnerabilities we were able to exploit. Our report, as usual, highlighted real risks and areas for improvement.
Where the on-going value came was in sitting with this client and working through our report. After they’d absorbed our findings and recommendations, they asked the really important questions, genuinely wanting to learn from our answers:
- How did we get here?
- Where can we be potentially compromised?
- How would it be possible for our data or systems to be breached?
As a result of asking these hard questions – instead of saying: “Thanks Chicken Little, come back in three years” – this organisation has taken immediate, concrete steps to improve its security processes. By welcoming a holistic view and committing to actually improve its security stance, this enterprise got the best possible value from its investment in external security consulting.
Surely, over the millennia, poor Cassandra was believed once?
About the Author
Bernie Ryan has over 20 years’ experience in delivering ICT security risk assessments, penetration testing and building compliance frameworks for large government and commercial enterprises.
He was formerly a Principal of Canberra-based Saltbush, one of Australia’s largest Information and Cyber Security professional services firms, which was acquired by UXC Limited in October 2014 and now forms CSC Consulting’s Cyber Security practice – delivering additional value, services and deep expertise to CSC’s clients nationwide.