4 March 2012

MANAGE RISK BEFORE IT DAMAGES YOU: PART TWO...

Google
In the previous post, I spoke about the importance of having an asset register and how crucial asset classification is. After all, not many of us have unlimited resources, therefore focusing investment where it matters most is the way to go. Whilst I was thinking about this, the link between changing the CISO traditional attitude and the necessity for risk management became even more apparent and I would like to expand on the trinity of “Asset, Technical Services and Business Need”...

If we agree that the types of assets to be considered have been defined in the previous post, the new trinity is only a slight revamping of my favourite “People, Process and Technology” and can be described as follows:


For a CISO to be successful, they need not only to be prepared to eliminate redundant services and controls (ouch!...), but also to promote the elimination of redundant assets which they will invariably not own... Enters the political CISO...

So, go on, why not hold a workshop with all the executive business stakeholders to ask them the following questions?...
  • Are my employees/agents taking information outside of the organisation? How can they do this? Do I care?
  • Do I need to limit access to this information to only those who need it? What happens if I don’t?
  • What types of attackers would be interested in infiltrating my systems? What would they seek? Why? How damaging?
  • If any web server was compromised, how difficult would it be for an attacker to work its way to those systems containing information? How easy would it be to take this information out? Do I care?
  • How quickly would I know this has happened? How quickly do I need to stop it?
  • How quickly do I need to respond to the market? What do I need to say?
Here you go, very basic crash course in threat scenario modelling... Believe me, this is a very interesting and enlightening exercise to conduct and can break down some boundaries, try it...

Again, it goes back to my old adage: don’t spend £100 protecting a £1 asset, fix the basics first, choose the right partners, train at all levels and be prepared...

Until next time...