Author: Derek Brink
What a joy it is to be understood! Yet many security professionals find it difficult to be understood by the business decision-makers they are trying to advise.
“They just don’t get it,” we say. And we grumble that our committed, faithful, and honorable efforts to protect the company and its assets are under-recognized, under-appreciated . . . and under-funded.
Of course, we could start trying to speak the same language. That would probably yield better results.
The way we talk about risk is a prime example of how we habitually miscommunicate. Security professionals mistakenly think they are talking about risk, when they are, in fact, talking about threats, vulnerabilities, and exploits. Some examples include
- Phishing attacks: This is not a risk. It’s an exploit of a very common vulnerability (humans).
- OWASP Top 10: These are mistakenly described as “The 10 Most Critical Web Application Security Risks,” but they are not risks. They’re vulnerabilities and exploits.
- Advanced persistent threats: This isn’t a risk. It’s a threat. (Even when we get the name right, we get it wrong.)
- Rootkits: This is not a risk. It’s a type of exploit.
As security professionals, we tend to go on and on, talking about threats, vulnerabilities, exploits, and the technologies that help to defend against them, and we think we’re talking about risk. Meanwhile, the business decision-makers we’re trying to advise are confused and frustrated.
So, what is the right language? What is risk?
Shon Harris, author of the popular CISSP All-in-One Exam Guide, defines risk as “the likelihood of a threat agent exploiting a vulnerability, and the corresponding business impact.” Douglas Hubbard, author of The Failure of Risk Management: Why It’s Broken, and How to Fix It, defines risk as “the probability and magnitude of a loss, disaster, or other undesirable event.” (And in an even simpler version: “something bad could happen.”)
To be very clear, it’s not that there are multiple definitions of risk, or that the definition of risk is unclear. It’s that we as security professionals aren’t speaking the right language. When we speak about security risks, we should be speaking about the probability of successful exploits, and the magnitude of the corresponding business impact.
Imagine yourself in the role of the business decision-maker, and imagine that your subject matter experts presented you with the following assessment of risks related to endpoint security:
- Cleverly engineered stealth malware, rootkits, is designed to evade detection, and persists on endpoints for prolonged periods of time. And new strains of malware are targeting an area of endpoints that performs critical start-up operations, the master boot record, which can provide attackers with a wide variety of capabilities for penetration, persistence, and control. In both cases, we may already be infected, but not even aware.
- There is a 15 percent probability that an endpoint security exploit will result in business disruption and productivity losses that may exceed $5M.
Which of these would be more helpful to you in terms of informing a decision about endpoint security? (It should go without saying that this point could just as easily apply to managing identities and access, or data protection, or application security, or mobility initiatives, and so on. Endpoint security is just an illustrative example.)
Clearly, the second option is more helpful. And the second option is properly framed in terms of risk.
In no way does this guarantee what the actual decision will be. One decision-maker might conclude, “I approve your request to invest in additional endpoint security controls to reduce this risk,” while another decision-maker might conclude, “that’s a risk I’m willing to live with.” But that’s okay—as security professionals, we will have done our job.
By better understanding how to communicate about security risks, we will also enjoy the benefits of being better understood.
About the Author:
Derek E. Brink, CISSP is a Vice President and Research Fellow covering topics in IT Security and IT GRC for Aberdeen Group, a Harte-Hanks Company. He is also a adjunct faculty with Brandeis University, Graduate Professional Studies teaching courses in our Information Security Program. For more blog posts by Derek, please see http://blogs.aberdeen.com/category/it-security/ and http://aberdeen.com/_aberdeen/it-security/ITSA/practice.aspx