PUNTA CANA – Although it may not be the most thrilling part of a security team’s job, the idea of operational risk assessment and management is perhaps the most important aspect of organizational security.
Steve Adegbite, senior vice president in charge of enterprise information security program oversight and strategy at the banking giant Wells Fargo, pointed out in his talk at the Kaspersky Security Analyst Summit here that online banking security is essentially predicated on the ideas that evolved during hundreds of years of brick and mortar physical security.
For sure, the means required to securely store potentially valuable bits of data on a network or database or server are very different than the means by which an early human may have hid in a cave to avoid being eaten by a bear. However, Adegbite’s presentation suggested that these sorts of risk assessments – the ones that have kept humans alive for hundreds of thousands of years – are exactly the kinds of logical progressions corporations should follow to protect sensitive data.
“Operational risk management is a key component of any security practice,” Adegbite wrote in a synopsis of his briefing. “This principle has been exercised since the dawn of time when cave men weighed the outcome of certain scenarios… [such as the] risk of hunting that wild animal to eat or having that wild animal eat him.”
It’s not enough though to merely understand the information your company holds, how and why and to whom it is valuable, and the threats to the integrity of that data. Companies need to understand that zero-days are an unfortunate inevitability of technology and that their security measures will eventually fail. Even if an organization has the perfect risk model, they are still vulnerable to the one, uncontrollable factor: humans.
Beyond this, people and attack techniques and defensive technology change over time. The way we build software, Adegbite explained, has changed dramatically over time. Coding from 10 or even five years ago is insecure now, which is why Adegbite believes it is unacceptable when organizations say “this is just the way we do things.”
If you fall in love with your risk management plan, Adegbite said, and think it is perfect, you are missing the point of a risk management plan. Risk management plans should be designed to fail. His point is that failure in the realm of security is inevitable, but with a competent risk plan, organizations can fail better, limiting an incident’s effect on a business’s reputation and bottom line.
“Your risk model is never going to always work,” said Adegbite.
When the risk management plan fails, companies need to look at why it failed, and make it better.
Adegbite said that these analyses are measured with cost: how much money are we willing to lose before we spend the money to stop losing money in this way? Or, on the flip-side of that coin, how much are we willing to invest in order to prevent future losses. In this way, Adegbite told the audience that banks are adopting some of the attitudes that Wall Street traders have had toward failure for years, namely a willingness to take bigger risks in the pursuit of better payoff. Of course, in this case that payoff is better security that could potentially save organizations money down the line.