In my new report, The Risk Manager's Handbook: How To Measure And Understand Risks, I present industry best practices and guidance on ways to articulate the extent or size of a risk. More than the interpersonal, political, and leadership skills required of a risk management professional, defining how risks are measured and communicated is where I believe they prove their worth. If risk measurement techniques are too complicated, they may discourage crucial input from colleagues and subject matter experts... but if they are too simple, they won't yield enough relevant information to guide important business decisions. Great communication skills can only hide irrelevant information for so long.
This report includes factors to use in the risk measurement process, ways to present risk measurement data in meaningful ways, and criteria to use when deciding which of these methods are most appropriate. As always, your feedback is welcome and appreciated.
In addition, I will be covering a related topic with our Security and Risk Council in a session called Creating A High-Impact Executive Report along with my colleague Ed Ferrara at Forrester's upcoming IT Forum: Accelerate At The Intersection Of Business And Technology, May 25-27, in Las Vegas. Please join us if you can make it. Later in the week, I will be available for 1-on-1 meetings with attendees, and I'll also present sessions on linking goverannce and risk and establishing good vendor risk management practices. I hope to see you there.
I always have been interested in Enterprise Architecture. Enterprise Architecture is one of those terms that security professionals hear about but do not always know how it can benefit what they do. Recently a client asked Forrester to review their information security enterprise architecture. I was both excited and pleased to do so. One of my accomplishments is I hold a patent in software engineering for the traceability in software systems, supporting business and IT alignment. Several colleagues and I developed an approach to use different types of models, both business and technical, to model the enterprise. The Object Management Group at about the same time championed the notion of "Model Driven Architecture." The premise of theses ideas is that the enterprise can be modeled and the relationships between business processes and underlying systems identifed.
Information security, focused at people, process and technology can leverage many of the techniques of the enterprise architect to evolve the security posture of the organization from its current state to a more optimized state over time. This presents interesting opportunities for security professionals to look at their security processes and tools to determine if they are really meeting the needs of their organization.
Add to the discussion. I would like to know your thoughts on this topic. I will be posting more over the next several weeks.
Forrester receives a significant number of inquiries from clients requesting Forrester guidance on Information Security Metrics. Chief Information Security Officers (CISOs) need new types of metrics to address economic, legal, regulatory, human resource, communication as well as traditional IT information security concerns. Security metrics must evolve to show the information security effort provides quality, efficiency, and a correlation to cost reduction and profit improvement. CISO’s need new methods for demonstrating the value they and their programs create. Over the course of the next several months I will be working with our clients to provide additional guidance and insight into this important topic. Look for additional research from Forrester in a new information security metrics research paper series. As these papers develop I will comment on their development as well as important issues that surface as a result.
Today EMC’s security division RSA announced the acquisition of NAV (Network Analysis and Visibility) vendor NetWitness. Some pundits have suggested that this is a direct result of the recent breach of RSA, but Forrester has been aware that this acquisition was in the works long before the breach was known. In fact, the public announcement of the acquisition was delayed by the breach notification. It is fortuitous timing, however, as the RSA attack shows the need for improved situational awareness.
As a follow-up to my blog post yesterday, there’s another area that’s worth noting in the resurgence of interest in BC preparedness, and that’s standards. For a long time, we’ve had a multitude of both industry and government standards on BCM management including Australian Standards BCP Guidelines, Singapore Standard for Business Continuity / Disaster Recovery Service Providers (which became much of the foundation for ISO 24762 IT Disaster Recovery), FFIEC BCP Handbook, NIST Contingency Planning Guide, NFPA 1600, BS 25999 (which will become much of the foundation for the soon to be released ISO 22301), ISO 27031, etc. There are also standards in other domains that touch on BC, security standards like ISO 27001/27002.
And when you come down to it, several of the broad risk management standards like ISO 31000 are applicable. At the end of the day, the same risk management disciplines underpin BC, DR, security and enterprise risk management. You conduct a BIA, risk assessment, then either accept, transfer or mitigate the risk, develop contingency plans, and make sure to keep the plans up to date and tested.
In my most recent research into various BCM software vendors and BC consultancies, as well as input from Forrester clients, BS 25999 seems to be the standard with the most interest and adoption. In the US at least, part of this I attribute to the fact that BS 25999 is now one of the recognized standards for US Department of Homeland Security’s Voluntary Private Sector Preparedness Accreditation and Certification Program. The other standards are NFPA 1600 and ASIS SPC.1-2009. I’ve heard very few Forrester clients mention the latter as their standard.
During the last 12 to 18 months, there have been a number of notable natural catastrophes and weather related events. Devastating earthquakes hit Haiti, Chile, China, New Zealand, and Japan. Monsoon floods killed thousands in Pakistan, and a series of floods forced the evacuation of thousands from Queensland. And of course, there was the completely unusual, when for example, ash from the erupting Eyjafjallajökull volcano in Iceland forced the shutdown of much of Western Europe’s airspace. These high profile events, together with greater awareness and increased regulation, have renewed interest in improving business continuity and disaster recovery preparedness. Last quarter, I published a report on this trend: Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And 2011.
As we speak to companies worldwide, many express their frustration with the cost and complexity of physical tokens. Our staple response is: "Oh yes, these solutions are hard to integrate and operate, but they provide the extra level of security required in an enterprise environment." However, today’s RSA SecureID breach goes against our typical advice and demonstrates that even the most hardened solution is vulnerable to insider threats – as it appears that the information leaked by (or social-engineered out of?) an RSA insider caused the security hole.
This situation draws attention to two basic themes that we are consistently hearing about:
Monitor your employees' activities and behavior patterns; and
Use lighter-weight authentication such as adaptive and risk-based authentication.
Both topics are areas we plan to discuss in greater depth this year. Please stay tuned for more reports from us on these topics!
Of all the client inquiries and advisories we get related to risk management, one of the most frequent topics of discussion continues to be the role of risk management. Who should be involved? How? What should our objectives be? How should we measure success?
In an upcoming Security & Risk Council member meeting in London, I plan to take members through each of the five steps of ISO 31000 in an interactive workshop. We will discuss how to build repeatable and consistent processes, demonstrate that process to stakeholders, improve strategy and planning, and show support for relevant corporate functions and business units. If you’re interested in discussing this idea with me and other members of the Security & Risk Council, please consider joining us on March 16 in London. In order to qualify to attend, you must be a senior-level security and/or risk management executive in a $1B+ organization. Please click here for more details on the S&R Council or on the member meeting itself.
IBM's Watson (natural language processing, deduction, AI, inference and statistical modeling all served by a massively parallel POWER7 array of computers with a total of 2880 processors with 15TB RAM) beat the greatest Jeopardy players in three rounds over the past 3 days — and the matches weren't even close. Watson has shocked us, and now it's time to think: What's in it for the security professional?
The connection is easy to see. The complexity, amount of unstructured background information, and the real-time need to make decisions.
Forrester predicts that the same levels of Watson's sophistication will appear in pattern recognition in fraud management and data protection. If Watson can answer a Jeopardy riddle in real time, it will certainly be able to find patterns of data loss, clustering security incidents, and events, and find root causes of them. Mitigation and/or removal of those root causes will be easy, compared to identifying them . . .
For the second year in a row, I have the honor of hosting our Security Forum EMEA in London, March 17th - 18th. This is Forrester's 5th annual Security Forum in Europe, and each year brings a larger, more influential audience and more exciting Forrester and industry keynotes. The theme of this year's event builds on our fall event in Boston - Building The High-Performance Security Organization. It would have been easy to focus the event on one of the myriad of threats and challenges facing security and risk (S&R) professionals today — from the emergence of advanced persistent threats to the security and risk implications of cloud services, social technologies and consumer devices in the workplace — but the real challenge for S&R professionals is not in the specific response to today's threats. It's building the oversight and governance capabilities, repeatable processes, and resilient architectures that deal with today's threats but can also reliably predict, analyze, mitigate, and respond to tomorrow's threats and new business demands. For many of us in security, we are mired in day-to-day operational responsibilities — or as some of us like to call it, the Hamster Wheel Of Hell.