Leading Thoughts
"Leading Thoughts" is an exciting addition to the EmeSec website here you will find a short summary of thoughts that are relevant and current to EmeSec, information assurance, our customers, and the business of security.
Random Security Threats are Relevant to Successful Risk Management Too!
Risk management is the prioritization of risk(s). These risk(s) may encompass information assurance (IA) and cyber security or they may address the risk(s) related to everyday business operations. The visibility of real and virtual security risks directly relevant to the success and thriving of an organization continues to grow as regulatory compliance, reputational litigation, and data management issues grow. The result of the changing landscape for organizations is a change in how risk is perceived, measured and managed. The perception of risk has been both qualitative (high, medium and low) as well as quantitative (high, medium and low). Risk response and management has been often been addressed by federal and government organizations through compliance with standards. Risk for commercial organizations often focuses on costs related to liability, reputation and restoration of data. Risk and the perspective of risk management are evolving to incorporate a more dynamic evaluation through continuous monitoring (NIST SP 800-137) to ensure the snapshot of measured risk is both more realistic and adapting to operational changes.
More recently, another risk perspective has been gaining legitimacy in the evaluation of information assurance, cyber security, and business resilience: The consequences of high impact, low frequency (HILF) events. This change in risk perspective began following 9/11, but was better articulated in 2007 through the book, “The Black Swan: The Impact of the Highly Improbable” by Nassim Nicholas Taleb.
The three characteristics of a “black swan” event include:
- The event is an outlier which is considered almost inconceivable based on past trends
- The event carries an extreme impact
- Retrospective belief (concocted by humans) that it was predictable
One example of a Black Swan may be the Pacific tsunami of December 2004. Had it been expected, it would not have caused the damage it did – warnings, evacuation of individuals and other preparations might have blunted the effect.
Our IA and Cyber Security experts continue to spend dollars on increasing security best practices and expend specific amounts of physical time and effort to accomplish compliance documentation, automated scanning and patching, along with continuous monitoring and technical testing. Our best business practices seem to focus on compliance to meet security needs based on obvious security control(s) weaknesses. Success, sustainment, and ongoing performance may actually rely on the ability to consider those low-probability, highly impactful events that randomly disrupt and disturb the mission of the organization.
As the business and government worlds rely on consistent access to information, financial stability, and reputation, information security programs must consider unlikely events along with the obvious protections to networked infrastructure capabilities for the future. Imagine the loss of your corporate portal and all of the data as one example. Although a black swan cannot be predicted, security professionals at your organization should incorporate some high impact, unlikely “wild card” events as part of the preparation of preparedness. Historically, we seem to focus on the last major security event as the most likely. Consider some random threats as you move forward in 2011.
EmeSec incorporates a security focus that looks at the obvious risks, the compliance standards, as well as some unique events we’ve experienced for our customers’ benefit.