Upload
msftsir
View
218
Download
0
Embed Size (px)
Citation preview
7/29/2019 CISO Perspectives Today's Risk
1/4
CISO PerspectivesTodays Risk | 1
Trustworthy Computing
CISO Perspectives:Todays RiskAugust 2013
CISO PerspectivesCISO Perspectives provides insight into some of the key questions facing information
security (IT) professionals today. These articles are based on interviews and discussions with
chief information security officers (CISOs) and information security and risk specialists from
Microsoft and the industry.
This article will discuss some of the key challenges, success factors, and potential solutions
for todays risk environment.
Risk today
In todays rapid-change information security and data protection environment, there is a
need to move from a reactive threat-based security model to a more proactive and efficient
risk-based model.
According to the International Organization for Standardization (ISO) publication 31000, risk
is defined as the effect of uncertainty on objectives1.
IT risk, and indeed, information risk, are not further defined by ISO 270052, and are left to therelevant organization to approach, define and manage as the organization sees fit.
1 ISO 31000:2009 Risk Management, Principles and Guidelines on Implementation
2 ISO/IEC 27005:2011 Information technology Security techniques Information security risk management
7/29/2019 CISO Perspectives Today's Risk
2/4
| CISO Perspectives: Todays Risk
For this article we interviewed several information security and risk specialists to gain insight
into how they define and approach risk, and resources they would recommend to help other
information security professionals understand and manage risk.
Approaches
The ability of the enterprise to define what risk is, and information risk in particular, serves toempower the business and to create different categories of risk that different organizations
are concerned with. In fact, within information risk, the focus on different categories and the
definition of what pertinent risk is, varies.
The understanding of business risk in most organizations today is robust and, typically, an
overall enterprise risk management program reports to the board of directors within large
companies. Quantifying and managing risk, in general, is perceived as part of good
governance. One of the risk elements under consideration today, properly includes
information security. Whereas identification of risk on how businesses evaluate their
information security risk has evolved over time, today information security risk is correctly
categorized as part of the business risk.
At Microsoft, says Bret Arsenault, Chief Information Security Officer, Microsoft, we include
information security risk as part of the overarching operational risk for the company. Whereas
risk is identified by the information security group, it is owned by the business, not by the IT
group.
In our conversations with CISOs we found the information security approach used by many
in the industry focuses on threats and mitigation.
As Jerry Pittman, Director, Global Information Security for Cummins, says, Previously we
focused on the threat landscape and how to protect from threats, [but now we] have moved
from a threat based model to a risk based approach. This allows us to utilize our budget more
effectively by prioritizing and targeting our highest risks first.
Greg Schaffer, Chief Information Security Officer, FIS Global, adds Information security has
always been an exercise in risk management, and it[information security] interacts with other
risks.
We also verified, that, as expected, the more regulated the industry (financial services, health
care, etc.) a specific organization is in, the more mature the approach to risk tends to be.
Risk focus
Attempting to ascertain an overarching focus of todays risk environment proved
challenging. While CISOs shared an increased focus on regulatory compliance, another
7/29/2019 CISO Perspectives Today's Risk
3/4
CISO PerspectivesTodays Risk | 3
emerging focus is on cyber threats. There is general agreement that an increase in organized
crime activities adds to the financial risks oftodays attacks.
Microsoft elects to look at effectiveness of risk identification, risk controls, and processes to
mitigate or accept risk. Interestingly, Microsoft embeds risk management into the application
lifecycle, Says Bret Arsenault.
Cummins, as Jerry Pittman suggests, particularly focuses on information and intellectual
property risk. Privacy and compliance [are] significant parts of the regulatory risk framework
we address.
Definitions of risk
In our conversations, we found several interesting definitions of risk. Greg Schaffer suggests
that part of risk management is deriving trust: Delivering trust relationships involve creating
a degree of confidence you are doing the right thing and only that, on a bad day, when an
event does occur, our interest and the clients interest are managed to the benefit of everyone.
This classic risk formula is well known3:
=
Where ALE is the annualized loss expectancy(in US Dollars, for example),
ARO is the annual rate of occurrence, and SLE is the single loss expectancy.
However, in the real world, we find that rates of occurrence and even single loss
expectancies are hard to calculate and ascertain. This situation leads to the soft measuring of
risk. Soft (or casual) risk is measured as high, medium or low, and it can be all over the
board. Awareness and experience in the organization and the as it is deliveredmodel driven
by the organizations circumstances allows us to better understand this soft risk says Jerry
Pittman.
It is important to partner with your organization, as Greg Schaffer suggests: Walking
through scenarios and helping people understand is an important element of risk
understanding for the business.
ResourcesSeveral resources to identify, quantify, measure and mitigate risk were identified by the
CISOs we spoke with. Those that were universally held in high regard included:
3 ALE at ISACA: http://www.isaca.org/Journal/Past-Issues/2003/Volume-2/Pages/Risk-Assessment-Tools-A-Primer.aspx
http://www.isaca.org/Journal/Past-Issues/2003/Volume-2/Pages/Risk-Assessment-Tools-A-Primer.aspxhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-2/Pages/Risk-Assessment-Tools-A-Primer.aspx7/29/2019 CISO Perspectives Today's Risk
4/4
| CISO Perspectives: Todays Risk
ISACAs (previously known as the Information Systems Audit and Control
Association) CoBIT4;
ISOs 27000 and 31000 series of documents;
The US National Institute of Standards and Technologys (NIST) Special Publications
(SP) documents, and in particular the 800 series5;
And the Cloud Security Alliances (CSA) efforts, in particular the Security, Trust &
Assurance Registry (STAR).
Understanding the frameworks, including their specific orientation and strengths, as well as
the differences between frameworks, is very important.
For more CISO Perspectives, visithttp://aka.ms/cisoperspectives
Trustworthy Computing Next
2013 Microsoft Corp. All rights reserved.
This document is provided "as-is." Information and views expressed in this document,
including URL and other Internet Web site references, may change without notice. You bear
the risk of using it. This document does not provide you with any legal rights to any intellectual
property in any Microsoft product. You may copy and use this document for your internal,
reference purposes. Licensed under
Creative Commons Attribution-Non Commercial-Share Alike 3.0 Unported
4 COBIT 5: A Business Framework for the Governance and Management of Enterprise IT
5 National Institute of Standards and Technology, Information Technology Laboratory, Computer Security Division, Special
Publications (800 series)
http://aka.ms/cisoperspectiveshttp://aka.ms/cisoperspectiveshttp://aka.ms/cisoperspectiveshttp://creativecommons.org/licenses/by-nc-sa/3.0/http://creativecommons.org/licenses/by-nc-sa/3.0/http://aka.ms/cisoperspectives