Security and Risk Management Strategies Blog

Blogger: Diana Kelley

Back when I was working for a Big 4 consulting company, I was assigned to a project that included an analysis of which PKI solution was right for one of our clients. This was in 1997 when there was a lot of buzz and confusion around PKI but not a lot of deep understanding regarding what it could and could not do for organizations. The plan was for me to complete the requirements portion of the engagement, select a product, and then the company I worked for would, if all went well, sell a follow-on engagement to implement the PKI. Straight forward, right?

The problem was that as I completed the requirements gathering process something unexpected was uncovered. Based on the needs of the organization, a PKI was not the right solution. Not that one PKI was less right than another - once the requirements and legacy constraints were considered, it was clear that PKI was not the right solution at that time. So I documented my findings and presented them to the customer. Though it meant the company I worked for did not get that portion of the follow-on work, it also meant the customer did not spend millions on a solution that would not meet their needs.

Many analysts are asked a variation on the PKI question I got. Boiled down it's essentially, "We want a product solution, which 3 or 4 vendors should we shortlist?"

On the surface this seems like a simple, logical request. It’s not. The reason it's extremely complicated is that there's an underlying implication that some requirements gathering have been completed, analysis of technical and process options have been completed, and priorities and "must haves" for the solution have been determined. Very often, however this is not the case. It wasn't the case when I set off to pick a PKI solution for that customer.

As an example, let's take a product selection almost all of us has made at some point - purchasing a car.

If you asked someone the question, "I want a car, which 3 or 4 models should I shortlist?" imagine the wide variety of responses you could receive. Some answers, well-researched, solid answers, could well be given in good faith but be absolutely wrong for the person asking the question. One of the reasons for this is that proper requirements gathering is a tricky business.

I purchased two very different cars in the last 10 years. A Mazda Miata, two-seater convertible and a Toyota RAV4 SUV. Both great cars, and I was (am) very happy with both choices. But the requirements that led me to select the RAV4 were very different than those that led to the Miata.

Some of my requirements were stable:

• Good gas mileage
• High reliability
• Responsive handling
• Only two seats required (what can I say, I'm anti-social when it comes to having people in my car)

Some changed:

• Very small for ease of use in an urban environment v. big enough to haul around two shelter-shepherd mixes and weekly loads of cruft to the transfer station
• Front wheel drive for city driving v. four wheel drive for wintry, rural roads

Obviously, there were more requirements involved, but the point here is that the stable requirements would have short listed both the Miata and the RAV4 (not sure about newer models, but older RAVs had removable back seats, so I have a two-seater RAV and the dogs have more space in back). The ones that changed were the ones that would have led to very different recommendations.

You probably know people that purchased cars because they came in a certain color, or imply status, or have higher safety ratings. Knowing your requirements and the trade-offs, if any, involved with selecting for one over another are the key to getting the right solution.

Back to the world of IT - "What are the top 3-4 web filtering solutions?" Based on what requirements? If it's pure market share, well that's an easy one to ascertain. But will it lead to selection of the best product for your organization? Flipping to cars again, the most popular car colors for 2006 were white/silver - that wouldn't work for my personal car requirements, but if I wanted to drive the most popular car color, then white/silver would be right.

Selecting the right web filtering solution, actually, deciding if implementing is the right choice at all, will, for most organizations entail a lot more than knowing what everyone else is buying. Requirements that would impact the decision for most large organizations include, ease of use of UI, ability to support a mobile/remote workforce, configurability based on roles/groups, ability to integrate the solution with a user directory store, etc. Recommendations are only as useful as the requirements they're based on.

So at this point, if you're still reading, you may be thinking, "Thanks for stating the obvious, freaky dog person!" But if what I just wrote is so obvious, then why are so many of us looking for a shortlist of the top 3-4 vendors in a product space? We all know how to get market share numbers, so we're looking for more than that. I think we're all busy and we'd like to look to analysts to do the research and the work and come up with a quick answer. But I also think there are no easy answers. Analysts can't make critical requirements decisions, and therefore product selection decisions, for external organizations in a vacuum. But we can do the research that normalizes the discussion, takes the marketing hype out and puts the technology specifics and the security and risk trade-offs back in. We can empower your organization with the unbiased information necessary to make the decisions.

To me, that's a lot more compelling and useful than having someone arbitrarily say, there are 3-4 solutions, pick one.

The alternative is ending up with a multi-million dollar PKI solution that doesn't solve the problem it was meant to. Or driving around in a white/silver Toyota Camry when the right car for you may be a dark green, two-seater, RAV4 with a couple of shepherd mutts hanging out the windows.

Blogger: Dan Blum

The theme for security at Burton Group’s Catalyst conference was this: successful security requires a proactive approach. We focused on many aspects of proactivity, but a few points jumped out pretty clearly:

Data and Risk cannot be governed, but the responsible persons can be – if we have the metrics. Could IT security artifacts be managed through market mechanisms similar to those that drive the business?

Creating open security management frameworks, or ecosystems, could be a win-win for security platform vendors and enterprise customers. Why is this, and what will it take to realize the promise?

My “successful security” presentation proposed the model for proactive security shown below. One of the notions in the model is that organizations should “get stronger sooner” by addressing risks earlier in the IT lifecycle by becoming involved in business planning and risk management.

We researched methodologies for risk management, but they either address low level security project blocking and tackling - or require that business executives meet IT security staff halfway by developing more understanding of the technology in order to set direction and take accountability for it. And unfortunately it can be rather difficult for even the senior managers in IT security to change the behavior of business executives and get them to do this.

At Catalyst, however, IBM’s Steve Adler gave us some exciting ideas in his “Six Questions to Ask About Data Governance” presentation. Among other things, this presentation discussed opportunities for using Utility Theory to derive a value for data, so that investments in managing, protecting or controlling data could be more properly calibrated. The corollary to valuing data is valuing risk – a tough problem. Here Adler referred us to Wikipedia’s coverage of Alternative Risk Transfer (ART).

We’ve written on how to measure Return on Security Investment (ROSI) in one of our reports. And I thought about the Basel II regulation, which requires that banks measure risk and set aside a capital reserve to fund recovery operations should risks materialize.

We’re still early in this line of research, but I find these ideas exciting because they could take risk away from being an externality and put it in terms any executive can understand. And while this may strike you as an overly theoretical point, isn’t the idea akin to pollution credits – which are very real today – and the notion of carbon debt, which may soon also start to impact business?

Thus, data and risk values could appear on a balance sheet that gets rolled up to top executives just like the monthly sales and expense forecasts. Executives wouldn’t have to understand the details of the technology creating the risk anymore than they have to understand every detail of the expense to research some of their rocket science products. But they can understand numbers, trends of numbers, and thresholds for how big those numbers should be. And by managing those numbers, could they give IT the guidance it needs for risk management tradeoffs?

Of course, the smart executive with time on his hands may drill down into any number at any time to spot check it or understand it. The valuation of risk has to be realistic and defensible. Where actuarial evidence is not available (as is so often the case) one might start this exercise with very conservative numbers, explain why they might be understated, and increase those numbers over time as incidents or losses provide more real-world evidence.

If your organization has been valuing data or risk successfully, or has studied the idea seriously, we’d like to talk to you. Please contact us or leave a comment.

And concerning the second major insight about security management frameworks, stay tuned: I’ll cover it in the next week or two. Keep coming back – this blog works!