Blogger: Dan Blum
The theme for security at Burton Group’s Catalyst conference was this: successful security requires a proactive approach. We focused on many aspects of proactivity, but a few points jumped out pretty clearly:
Data and Risk cannot be governed, but the responsible persons can be – if we have the metrics. Could IT security artifacts be managed through market mechanisms similar to those that drive the business?
Creating open security management frameworks, or ecosystems, could be a win-win for security platform vendors and enterprise customers. Why is this, and what will it take to realize the promise?
My “successful security” presentation proposed the model for proactive security shown below. One of the notions in the model is that organizations should “get stronger sooner” by addressing risks earlier in the IT lifecycle by becoming involved in business planning and risk management.
We researched methodologies for risk management, but they either address low level security project blocking and tackling - or require that business executives meet IT security staff halfway by developing more understanding of the technology in order to set direction and take accountability for it. And unfortunately it can be rather difficult for even the senior managers in IT security to change the behavior of business executives and get them to do this.
At Catalyst, however, IBM’s Steve Adler gave us some exciting ideas in his “Six Questions to Ask About Data Governance” presentation. Among other things, this presentation discussed opportunities for using Utility Theory to derive a value for data, so that investments in managing, protecting or controlling data could be more properly calibrated. The corollary to valuing data is valuing risk – a tough problem. Here Adler referred us to Wikipedia’s coverage of Alternative Risk Transfer (ART).
We’ve written on how to measure Return on Security Investment (ROSI) in one of our reports. And I thought about the Basel II regulation, which requires that banks measure risk and set aside a capital reserve to fund recovery operations should risks materialize.
We’re still early in this line of research, but I find these ideas exciting because they could take risk away from being an externality and put it in terms any executive can understand. And while this may strike you as an overly theoretical point, isn’t the idea akin to pollution credits – which are very real today – and the notion of carbon debt, which may soon also start to impact business?
Thus, data and risk values could appear on a balance sheet that gets rolled up to top executives just like the monthly sales and expense forecasts. Executives wouldn’t have to understand the details of the technology creating the risk anymore than they have to understand every detail of the expense to research some of their rocket science products. But they can understand numbers, trends of numbers, and thresholds for how big those numbers should be. And by managing those numbers, could they give IT the guidance it needs for risk management tradeoffs?
Of course, the smart executive with time on his hands may drill down into any number at any time to spot check it or understand it. The valuation of risk has to be realistic and defensible. Where actuarial evidence is not available (as is so often the case) one might start this exercise with very conservative numbers, explain why they might be understated, and increase those numbers over time as incidents or losses provide more real-world evidence.
If your organization has been valuing data or risk successfully, or has studied the idea seriously, we’d like to talk to you. Please contact us or leave a comment.
And concerning the second major insight about security management frameworks, stay tuned: I’ll cover it in the next week or two. Keep coming back – this blog works!
Comments