CISO Perspectives Today's Risk

7/29/2019 CISO Perspectives Today's Risk

1/4

CISO PerspectivesTodays Risk | 1

Trustworthy Computing

CISO Perspectives:Todays RiskAugust 2013

CISO PerspectivesCISO Perspectives provides insight into some of the key questions facing information

security (IT) professionals today. These articles are based on interviews and discussions with

chief information security officers (CISOs) and information security and risk specialists from

Microsoft and the industry.

This article will discuss some of the key challenges, success factors, and potential solutions

for todays risk environment.

Risk today

In todays rapid-change information security and data protection environment, there is a

need to move from a reactive threat-based security model to a more proactive and efficient

risk-based model.

According to the International Organization for Standardization (ISO) publication 31000, risk

is defined as the effect of uncertainty on objectives1.

IT risk, and indeed, information risk, are not further defined by ISO 270052, and are left to therelevant organization to approach, define and manage as the organization sees fit.

1 ISO 31000:2009 Risk Management, Principles and Guidelines on Implementation

2 ISO/IEC 27005:2011 Information technology Security techniques Information security risk management


2/4

| CISO Perspectives: Todays Risk

For this article we interviewed several information security and risk specialists to gain insight

into how they define and approach risk, and resources they would recommend to help other

information security professionals understand and manage risk.

Approaches

The ability of the enterprise to define what risk is, and information risk in particular, serves toempower the business and to create different categories of risk that different organizations

are concerned with. In fact, within information risk, the focus on different categories and the

definition of what pertinent risk is, varies.

The understanding of business risk in most organizations today is robust and, typically, an

overall enterprise risk management program reports to the board of directors within large

companies. Quantifying and managing risk, in general, is perceived as part of good

governance. One of the risk elements under consideration today, properly includes

information security. Whereas identification of risk on how businesses evaluate their

information security risk has evolved over time, today information security risk is correctly

categorized as part of the business risk.

At Microsoft, says Bret Arsenault, Chief Information Security Officer, Microsoft, we include

information security risk as part of the overarching operational risk for the company. Whereas

risk is identified by the information security group, it is owned by the business, not by the IT

group.

In our conversations with CISOs we found the information security approach used by many

in the industry focuses on threats and mitigation.

As Jerry Pittman, Director, Global Information Security for Cummins, says, Previously we

focused on the threat landscape and how to protect from threats, [but now we] have moved

from a threat based model to a risk based approach. This allows us to utilize our budget more

effectively by prioritizing and targeting our highest risks first.

Greg Schaffer, Chief Information Security Officer, FIS Global, adds Information security has

always been an exercise in risk management, and it[information security] interacts with other

risks.

We also verified, that, as expected, the more regulated the industry (financial services, health

care, etc.) a specific organization is in, the more mature the approach to risk tends to be.

Risk focus

Attempting to ascertain an overarching focus of todays risk environment proved

challenging. While CISOs shared an increased focus on regulatory compliance, another


3/4

CISO PerspectivesTodays Risk | 3

emerging focus is on cyber threats. There is general agreement that an increase in organized

crime activities adds to the financial risks oftodays attacks.

Microsoft elects to look at effectiveness of risk identification, risk controls, and processes to

mitigate or accept risk. Interestingly, Microsoft embeds risk management into the application

lifecycle, Says Bret Arsenault.

Cummins, as Jerry Pittman suggests, particularly focuses on information and intellectual

property risk. Privacy and compliance [are] significant parts of the regulatory risk framework

we address.

Definitions of risk

In our conversations, we found several interesting definitions of risk. Greg Schaffer suggests

that part of risk management is deriving trust: Delivering trust relationships involve creating

a degree of confidence you are doing the right thing and only that, on a bad day, when an

event does occur, our interest and the clients interest are managed to the benefit of everyone.

This classic risk formula is well known3:

=

Where ALE is the annualized loss expectancy(in US Dollars, for example),

ARO is the annual rate of occurrence, and SLE is the single loss expectancy.

However, in the real world, we find that rates of occurrence and even single loss

expectancies are hard to calculate and ascertain. This situation leads to the soft measuring of

risk. Soft (or casual) risk is measured as high, medium or low, and it can be all over the

board. Awareness and experience in the organization and the as it is deliveredmodel driven

by the organizations circumstances allows us to better understand this soft risk says Jerry

Pittman.

It is important to partner with your organization, as Greg Schaffer suggests: Walking

through scenarios and helping people understand is an important element of risk

understanding for the business.

ResourcesSeveral resources to identify, quantify, measure and mitigate risk were identified by the

CISOs we spoke with. Those that were universally held in high regard included:

3 ALE at ISACA: http://www.isaca.org/Journal/Past-Issues/2003/Volume-2/Pages/Risk-Assessment-Tools-A-Primer.aspx
http://www.isaca.org/Journal/Past-Issues/2003/Volume-2/Pages/Risk-Assessment-Tools-A-Primer.aspxhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-2/Pages/Risk-Assessment-Tools-A-Primer.aspx


4/4

| CISO Perspectives: Todays Risk

ISACAs (previously known as the Information Systems Audit and Control

Association) CoBIT4;

ISOs 27000 and 31000 series of documents;

The US National Institute of Standards and Technologys (NIST) Special Publications

(SP) documents, and in particular the 800 series5;

And the Cloud Security Alliances (CSA) efforts, in particular the Security, Trust &

Assurance Registry (STAR).

Understanding the frameworks, including their specific orientation and strengths, as well as

the differences between frameworks, is very important.

For more CISO Perspectives, visithttp://aka.ms/cisoperspectives

Trustworthy Computing Next

2013 Microsoft Corp. All rights reserved.

This document is provided "as-is." Information and views expressed in this document,

including URL and other Internet Web site references, may change without notice. You bear

the risk of using it. This document does not provide you with any legal rights to any intellectual

property in any Microsoft product. You may copy and use this document for your internal,

reference purposes. Licensed under

Creative Commons Attribution-Non Commercial-Share Alike 3.0 Unported

4 COBIT 5: A Business Framework for the Governance and Management of Enterprise IT

5 National Institute of Standards and Technology, Information Technology Laboratory, Computer Security Division, Special

Publications (800 series)
http://aka.ms/cisoperspectiveshttp://aka.ms/cisoperspectiveshttp://aka.ms/cisoperspectiveshttp://creativecommons.org/licenses/by-nc-sa/3.0/http://creativecommons.org/licenses/by-nc-sa/3.0/http://aka.ms/cisoperspectives

Documents

CISO Perspectives Today's Risk