When I first started working in Information Security, I was dragged into it kicking and screaming. It was one of the most dreaded additional duties that the military had and unlike most other additional duties, it was a never-ending stream of forms and paperwork and the need to memorize Air Force Regulation (AFR) 125-37. Security was easy; an anti-malware program, a firewall, a locked door and you pulled the plug on the modem before you left for the evening.
Current systems are now highly complex interconnected environments and connected 24x7 where there is no real perimeter and the firewalls and anti-malware applications of the past are woefully inadequate. The only way to address it is to understand and manage it by understanding how systems and actions within the enterprise changes the risk to the enterprise.
By understanding enterprise risk and what our high value assets are, we can change the architecture of our networks and systems to reduce the risks, update and harden the configurations to reduce risks, ignore the risks, or simply remove the systems. The Executive Leadership Team and the Board of Directors give clear guidelines in the Business Impact Analysis that define the level of risk they are willing to accept for the high value assets and the support systems. Thus, the Business Impact Analysis combined with a risk analysis tells the CISO exactly where their efforts should be focused as it comes to securing the enterprise. Failing to do so will result in the modern-day enterprise version of the Maginot line.
Through risk management, the CISO, the CIO, and the Executive Leadership Team have a clear understanding of the level of risk that is acceptable according to the Business Impact Analysis, and as such can use the risk management process to help define where limited resources need to be applied to meet not only the functionality required by the enterprise, but at the level of risk acceptable to the leadership. Should adequate resources not be available, the risk management plan can be used as justification for added resources, or to not implement systems that increase the risk to the enterprise. Ultimately, it is important for the CIO and CISO to understand that the risk tolerance of the enterprise is a business decision, not a technical one.
More and more enterprises are being forced to be compliant with new laws governing the confidentiality of client and corporate data including the integrity of the information, and ensuring that the data is accessible to those who can access it when they need it. As regulatory requirements such as the Defense Federal Acquisition Regulation Supplement (DFARS), the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Financial Institutions Examination Council (FFIEC), and many others evolve, the focus has turned away from the prescriptive regulatory requirements to risk focused examination to address what they originally were intended to address: Protecting the confidentiality, integrity, and availability of enterprise information assets and information systems.
In October of 2018, I went thorough the first FFIEC ACET examination and the focus by the examiners was on evaluating and managing the risk in the environment. In February 2019, I went through an ACET examination by the National Credit Union Administration and the focus was completely risk based. Based on my first examination, we had prepared all the information they requested and included a risk assessment from December 2018. We also established a program where we will be providing bi-weekly or monthly updates to the risk analysis based on the risk analysis performed during the change management process and on monthly vulnerability scans.
Evolution of Risk Management
Like all good programs, we have reached a plateau where we can no longer improve upon how we assess and manage risk, or so many people think. While the changes from the prescriptive order where we put steel doors on grass huts to the current risk focused management of security in the enterprise are quantum leaps, it is not over yet. The annual risk assessment and subsequent actions measure and address the risk of an enterprise at a moment in time. The other 364 days, the risk status is all but unknown and can change in an instant. We are moving towards a new era where the integration of vendor risk management, change management, continuous monitoring, vulnerability management, and threat analysis in real time will change how risk management is accomplished and risk will become another continuously assessed and monitored function within the enterprise. The granularity will also change as we change the focus from an enterprise system, to a system of systems, and ultimately, we will examine the risk within the enterprise by monitoring data flows between the system of systems as they traverse from datacenters to clouds, to terminals and to our customers uninhibited by the security perimeters of the past.