November 2011 Archives

"If you think a weakness can be turned into a strength, I hate to tell you this, but that's another weakness."
Deep Thoughts by Jack Handy

This post has been percolating for a few weeks now. Part of it was triggered as I read Taleb's The Black Swan, part of it was triggered by attending the ISSA International Conference a few weeks ago and hearing the same old quips, and part of it was triggered this morning by reading stories about yesterday's DARPA cybersecurity conference.

The challenge to this whole post is going to be keeping a coherent thread, so let me spell it out up-front: If "securing networks" is your goal, then I hate to tell you, but you've already failed. A strictly threat-centric approach to infosec is the failed approach we've been using for decades, and it's not going to solve any problems. The real problem is that we've lost sight of what is really important (assets!), and are not constructing our environments, defenses, etc., in a manner that is optimized toward protecting those things. More on this later.

A quick little semi-rant... I've reached the point where my tolerance has been exceeded. It's very simple, really.

There, I said it. No, seriously, if you listen to all the "risk" haters out there these days, you'd swear that the failings or limitations of a risk assessment or risk analysis methodology was equivalent to "proof" that risk management as a whole is faulty and a failure. Nothing could be farther from the truth.

Case-in-point: Many people, who don't have any training of or understanding about quantitative methods like FAIR, love to hate on those methods because of the "imperfect data" argument (newsflash: all data is imperfect). "We don't know what we don't know, therefore it's all wrong." The response to that quip is a separate post (coming soon!), but suffice to say, limitations of a specific method DO NOT prove that an overall management process is somehow inadequate, wrong, or a failure.

The 2008 credit crisis is not the result of poor risk management. Rather, it demonstrates the failure of traditional ORM risk assessment / risk analysis methods, which failed to properly account for a number of key risk factors, and which also overlooked major exposures (for more on this, see the "Modern ORM" paper).

So, the next time someone tells you that "risk management is a failure," please ask them not to throw out the RM baby with the bathwater, and instead prod them into explaining their quip, which will inevitably lead to complaints about risk assessment or risk analysis, which is not equivalent to RM.

That is all.

As a rule, I try not to toot my own horn too much. There are far smarter people out there. That said, I thought you might find the following articles of interest:

Big Fat Finance Blog: "Risk Chat: Is Your GRC in the Cloud?"

CRN: "How to Manage Cloud Risk"

The ISSA Journal (November 2011, Volume 9 - Issue 11)
"Scaling Risk Management"

Also, I highly recommend joining the ISSA!

I had the opportunity to attend the 2011 ISSA International Conference held Oct 20-21 in Baltimore, MD. Overall, it was a decent, albeit fairly small, event. Beyond getting a chance to catch-up with some industry friends, it also provided a chance to hear a few interesting talks, as well as to discuss a couple topics that have been of interest lately.

Rather than recap things in too much detail, I figured I'd just riff on a few themes that I noticed (or have arbitrarily declared)...