Special thanks to eGroup CEO Mike Carter whose post on this topic prompted me to write my own.
Retired General Michael Hayden, the former Director of the CIA and NSA, attended the second-annual ZertoCON conference as a keynote speaker. His topic of choice, risk and risk management, came as no surprise given his decades of experience in the field. One surprise did come later, though, during my conversations with several customers and partners on Gen. Hayden’s thoughts on the classic risk equation:
Risk = Threat x Vulnerability x Consequence
Specific to the information technology field, the surprise for me was the high number of people and organizations focused on blanket approaches to threats and vulnerabilities as opposed to a more targeted strategy. The problem I have with the generalized posture is that threat, as General Hayden likes to say, “is asymmetrical and all advantage goes to the attacker”. You can detect-and-deny the threats you know. You can patch the gaps you know. I say this having invested in exactly the same way back when I was the one with the budget! But there are always new tools, new attack vectors, new bugs, and more bad actors. Not to mention that the latest and hottest projects in technology right now – the joining together of automation, artificial intelligence, and machine learning systems – means we will soon face an exponential increase in the types and volumes of threats to people and information.
Will, not may.
Suddenly that blanket approach doesn’t seem like it could ever big enough, but we sure keep throwing money at it.
I’m not advocating we ignore threat mitigation as an organizational strategy. After a week at ZertoCON where we had several sessions on Ransomware and unpatched vulnerabilities, I won’t say we should abandon vulnerability mitigation either. But threats increase, always. And vulnerabilities? The next zero-day exploit is lurking right around the corner.
Can we direct our limited resources instead of taking a blanket approach?
It turns out we can. Consequence, unlike our other two variables, can be rather accurately qualified and quantified. What happens if this system is breached? What happens if we lose access to that data? Is it a $1,000 loss? A $10,000,000 loss? A brand impact? Just a grouchy business unit that is otherwise unaffected? Once you identify those real outcomes that loss might lead to, map out where you are spending your resources, and ask yourself do those mappings still make sense? Or should you be shifting resources around and investing in ways that take a targeted approach to addressing your risk profile?
Spending time and money attempting to address threats and vulnerabilities without first understanding consequence is a losing game. Assess the consequences of application and information loss first and you’ve got the beginnings of a sound strategy. Only when you know the consequences – the impact of losing an application or losing control of or access to your data – can you hope to properly direct your resources as you work to deliver certainty in an uncertain world.