Enough is Enough

by Hank Berkley
Contributing editor

For years the information security community joked that new malware was being created by anti-virus vendors to sell organizations on the efficacy of their detection software*. In a field in which new threats appear daily it seems that the “bad guys” are not the only ones attempting to benefit. As fast as new threats appear, technology peddlers seem to arrive just as frequently with solutions to protect your organization from these new vulnerabilities. The question that you need to answer is whether you need to buy into each new safeguard.

Tracking the costs and benefits brings us back to the Risk Register. Besides identifying security risks to which your business is exposed, the register needs to have an approximation of the potential damage it could cause in the worst case, the likelihood that it will strike your operation given your current security posture, and an estimate of damages given the steps you have already taken. This last item is called the residual risk and it is the best indicator of how much more (or less) you should spend to mitigate a potential threat.

With new issues arriving almost daily you may wonder how your organization can respond in a timely manner without unlimited resources. The truth is that if you have good basic underpinnings of an information security system, this can be manageable. A large number of these can be easily dismissed as not pertinent. For example, the vast majority of newly discovered software flaws are in older software. If you maintain your software and are relatively up-to-date with the updates, a large number of these won’t apply to you.

The question then becomes, of the new applicable threats, which ones have a high enough residual risk that it justifies additional actions? Though residual risk is just an estimate based on estimates, as long as you have a consistent method of assessing it, you will be able to use it to prioritize your security spending. Finding residual risk and determining next actions includes:

• The probability that this will impact you
• The worst possible loss if you are hit with this
• The cost to improve your resilience or to increase your protection
• Where does this stand compared to other risks that you are taking as they may be better places to invest.

Because each new threat needs to be prioritized among all of those you have previously dealt with, it is important to have a standard process to do this evaluation. Input to the process needs to come from various sources, but the analysis itself can initially be done within the cyber security team. For instance, the business may calculate that it costs $1 million per shift to have a production line shut down. With that number the security people can calculate the potential cost of a serious incident that impacts production. With involvement from the marketing department, a range of values can be placed on the reputational loss that might occur. From these estimates a course of action (or possibly inaction) can be made.

Analysis and taking appropriate action are fundamental, but the hard reality is that no matter how advanced your analysis, or how many resources you are willing to expend, many of these risks will never have a zero probability. Players win lotteries every week, despite odds of 300 million to 1 against them. You should improve your odds when it is cost effective to do so, and be prepared in case your number comes up. You need to do both.

Being prepared means more than technical solutions. Next time we will discuss important steps you should take.

* It turns out that in at least one case this was true of McAfee (now owned by Intel). Some think that others just didn’t get caught.