Analytics-Based Risk Management
While rigorous, analytics-based risk management is ideal, doing so in a robust manner is inherently difficult for the IT industry because of the qualitative approaches commonly used today. In industries that are rich in quantitative analysis, such as the financial and insurance sectors, the risk management process is much more rigorous and intensive. Insurance actuaries, for example, can apply an array of quantitative processes to model and simulate risk, which allows them to determine and ultimately monetize risk for their customers. On the other hand, reliable, quantitative approaches to understanding enterprise risk in the IT industry is relatively new. However, due to increasing threats and the massive amounts of data being generated by the sensors and protection devices that are being deployed across an enterprise, government and industry IT must engage these new analytic approaches in order to more effectively secure their environments.
Security risk management is a highly customized approach used to support the mission of each agency’s infrastructure and the government enterprise. Focused analysis must be placed on identifying what an incident actually means for each system and how it will impact its supported mission. With detailed comprehension of what a breach would mean to each specific mission system, the agency can then decide what level of financial resources they are willing to direct toward system defense. In some cases, the costs will outweigh the effects of the incident. In others, cost is subservient to protecting the mission. This is security risk management for mission assurance that includes determining acceptable and unacceptable risks and their potential impact on the agency mission.
As the nascent field of cyber-risk management — a.k.a. security analytics — takes shape, private enterprise has begun to lead the way. For example, scientists at HP Labs and Citicorp worked together to help the financial industry combat cyber-threats by addressing the problem using modeling and simulation to understand the impacts of various security investments. This approach allowed Citicorp to make security investment decisions based on thoroughly modeled outcomes, which ultimately led to tradeoff decisions on vastly different controls (host intrusion prevention systems versus patch automation). This is a real example of investing in security that matters most while working within a specific budget. In support of government IT security, technology companies are using this commercial expertise to help government decision-makers create safer environments.
In the current cyber-environment, one thing is certain: There will be unscrupulous attacks against our government infrastructures and systems. These threats are becoming more sophisticated and persistent. Undoubtedly there will be many vulnerabilities in the enterprise — both known and unknown. Some will be identified and remediated quickly while others will remain undiscovered for months or potentially years. Understanding this dynamic underscores the enormous importance of using a rigorous risk management process to determine which asset and what level of risk is acceptable for the mission owner of the agency. Applying this core management principle of risk versus reward to cyber-security is one of the few methods through which we will see lasting success. Ultimately mission owners and IT leaders must decide for themselves to choose security that matters.
Sam Chun is director of Cyber Security Practice — U.S. Public Sector for Hewlett-Packard.