The Lost Art of Managing Risk

By | December 14, 2006

The speed of technology evolution and adoption is increasingly taking away our ability to assess and manage its impact on business with the overrun creating massive governance and operational gaps resulting in exposure and misalignment. This has caused organisations to lose focus on the things that matter most: the survivability and ultimate growth of the business.

Today´s constantly expanding chain of technically-complex security point solutions do not necessarily reduce or effectively manage risk; they mitigate threats and vulnerabilities in the form of products to solve specific technical problems but without context for the assets which they are tasked to protect and at a cost that may outweigh the protected assets’ value.

One obvious illustration of this risk gap is how disconnected today’s enterprise security and networking staff remain even when their business interests should be very closely aligned.

To prove this point, ask your network team if they know what OCTAVE or CoBIT frameworks are and how current operational security practices map to either of them. Then, ask the security team if they know how MPLS VRF, BGP route reflectors or the spanning tree protocol function at the network level and how these technologies might affect the enterprise’s risk posture. While both parties seek to serve the business with a common goal of balancing security with connectivity neither speaks a common language. This illustration defines the problem at hand; how do we make sure that we deliver exactly what the business requires to protect the most critical assets in a manner fitting the risk profile of the organisation and no more?

Technology visions spiral out of control when decoupled from risk. The most blatant example is the promise of security embedded in the network or all-in-one single vendor appliances. Some predict the evolution of the network into a sentient platform, aware of, and able to interact with and control, the applications and data which travel over it. These vendors claim that security will simply be subsumed by the “network” as a function of the delivery of the service since the applications and data will be provided by a network platform completely aware of that which traverses its paths. It will be able to apply clearly articulated business processes and eliminate complex security problems by mitigating threats and vulnerabilities before they exploit an attack surface.

However, these glimpses into the future are still a narrowly-focused technology endeavour without the intelligence necessary to make business decisions outside of the context of bits and bytes. Moreover, the deeper information security is pushed down into the stack, the less survivable our assets and businesses will become because the security system cannot operate independently of the organ it is protecting.

Applying indiscriminate layers of security is the wrong thing to do. It adds complexity, drives costs, and makes manageability and transparency second-class citizens.

What is needed is the application of the idea of a “dumb” network connectivity layer with high speed, low latency, high resiliency, predictable throughput and reliability, and an “intelligence” layer which can deliver valued added service via open, agile and extensible solutions. Best-of-breed, consolidated Unified Threat Management (UTM), based upon a sound risk management model, provides the required security value with maximum coverage exactly where needed, when needed and at a cost that can be measured, allocated and applied to most appropriately manage risk.

Such an investment in the practical art of risk management holds the solution to many of today’s business problems, which are all to often mislabelled as information security issues. It is time to move away from throwing disparate appliances at threats and vulnerabilities without a rationalised link, to a time where network security architectures and risk management solutions are implemented in an integrated way.

Leave a Reply