Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

The Security Model is Broken, Part 2: The Risk Assumption Process

In February of this year, I published an article in SC Magazine called The Security Model is Broken. Because every organization is susceptible to a breach, we must rethink our security models and implement better preventive measures. That first article outlined some of the technologies and controls that enterprises should use to strengthen their security postures. In today's article, I will explain how an organization's risk assessment model should be updated to assure that the appropriate people are assuming risk and making the right decisions.

Risk based security model background

Ensure that whoever makes the decision to assume the risk has the proper purview and span of organizational control to assume all the inherent security risks—including reputational risks

Today, it is a generally accepted practice to justify and/or make decisions on security safeguards based on a risk assessment. But all too often, risk based security or the risk assessment process that is commonly practiced by many enterprises is flawed and misused to justify doing nothing or to delay the implementation of necessary security safeguards. Basically, the risk assessment process involves evaluating probable threats, their likelihood and impact against the cost of the security controls that would mitigate the threats. Risk assessment is usually performed by the security unit and the business unit; or someone in management makes the decision to either implement the security safeguard to mitigate the risk, or to assume the risk.

The underlying challenge is to ensure that whoever makes the decision to assume the risk has the proper purview and span of organizational control to assume all the inherent security risks—including reputational risks—associated with the decision.

How the risk security model is broken

Many CISOs or security units believe their job is done when they have presented the results of their risk assessment to management and they have assumed the risk, even if they disagree with management's decision. Many, if not most enterprises, have no formal risk assumption model to identify who can assume enterprise level risk, and have no escalation procedures when a disagreement occurs.

Also, many decisions are made by the wrong people for the wrong reasons. Most business units do not have the subject matter expertise to make decisions about security risks, and they do not appreciate the dynamic and changing landscape of cyber threats and the IT environment. Additionally, business people have conflicted goals such as expense, income, or project deadline pressures. These different drivers can—and many times do—cloud their judgment.

Finally, security assessments or risk based security practices are often used to justify doing nothing. Many enterprises use an ROI (return on investment) risk assessment methodology. There is no ROI in security safeguards, unless you are replacing or consolidating technologies; it is a judgmental risk mitigation or avoidance decision. Cybersecurity, like safety measures on airplanes, is a cost of doing business, period!

What needs to be done

Enterprises need a formal risk assumption model which clearly states who can assume security risks and which types of risks they can assume—similar to the approach that CFOs use to delegate obligatory financial authority for the enterprise. Just as important, the risk security model must delegate to the CISO arbitration powers over business risk assumption decisions. Such a documented approach enables the CISO to be an honest broker to escalate security risk assumption decisions with unfettered access to senior management, including the CEO and if need be, to the board of directors.

Enterprises need a formal risk assumption model which clearly states who can assume security risks and which types of risks they can assume

In my next article, I'll address transparency, why we need it and why we don't have it now.

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security