Trustworthy Computing

CISO Perspectives: Todays Risk August 2013

CISO Perspectives
CISO Perspectives provides insight into some of the key questions facing information security (IT) professionals today. These articles are based on interviews and discussions with chief information security officers (CISOs) and information security and risk specialists from Microsoft and the industry. This article will discuss some of the key challenges, success factors, and potential solutions for todays risk environment.

Risk today
In todays rapid-change information security and data protection environment, there is a need to move from a reactive threat-based security model to a more proactive and efficient risk-based model. According to the International Organization for Standardization (ISO) publication 31000, risk is defined as the effect of uncertainty on objectives1. IT risk, and indeed, information risk, are not further defined by ISO 270052, and are left to the relevant organization to approach, define and manage as the organization sees fit.

ISO 31000:2009 Risk Management, Principles and Guidelines on Implementation ISO/IEC 27005:2011 Information technology Security techniques Information security risk management

CISO Perspectives Todays Risk | 1

For this article we interviewed several information security and risk specialists to gain insight into how they define and approach risk, and resources they would recommend to help other information security professionals understand and manage risk. Approaches The ability of the enterprise to define what risk is, and information risk in particular, serves to empower the business and to create different categories of risk that different organizations are concerned with. In fact, within information risk, the focus on different categories and the definition of what pertinent risk is, varies. The understanding of business risk in most organizations today is robust and, typically, an overall enterprise risk management program reports to the board of directors within large companies. Quantifying and managing risk, in general, is perceived as part of good governance. One of the risk elements under consideration today, properly includes information security. Whereas identification of risk on how businesses evaluate their information security risk has evolved over time, today information security risk is correctly categorized as part of the business risk. At Microsoft, says Bret Arsenault, Chief Information Security Officer, Microsoft, we include information security risk as part of the overarching operational risk for the company. Whereas risk is identified by the information security group, it is owned by the business, not by the IT group. In our conversations with CISOs we found the information security approach used by many in the industry focuses on threats and mitigation. As Jerry Pittman, Director, Global Information Security for Cummins, says, Previously we focused on the threat landscape and how to protect from threats, [but now we] have moved from a threat based model to a risk based approach. This allows us to utilize our budget more effectively by prioritizing and targeting our highest risks first. Greg Schaffer, Chief Information Security Officer, FIS Global, adds Information security has always been an exercise in risk management, and it [information security] interacts with other risks. We also verified, that, as expected, the more regulated the industry (financial services, health care, etc.) a specific organization is in, the more mature the approach to risk tends to be. Risk focus Attempting to ascertain an overarching focus of todays risk environment proved challenging. While CISOs shared an increased focus on regulatory compliance, another

2 | CISO Perspectives: Todays Risk

emerging focus is on cyber threats. There is general agreement that an increase in organized crime activities adds to the financial risks of todays attacks. Microsoft elects to look at effectiveness of risk identification, risk controls, and processes to mitigate or accept risk. Interestingly, Microsoft embeds risk management into the application lifecycle, Says Bret Arsenault. Cummins, as Jerry Pittman suggests, particularly focuses on information and intellectual property risk. Privacy and compliance [are] significant parts of the regulatory risk framework we address. Definitions of risk In our conversations, we found several interesting definitions of risk. Greg Schaffer suggests that part of risk management is deriving trust: Delivering trust relationships involve creating a degree of confidence you are doing the right thing and only that, on a bad day, when an event does occur, our interest and the clients interest are managed to the benefit of everyone. This classic risk formula is well known3:

=
Where ALE is the annualized loss expectancy (in US Dollars, for example), ARO is the annual rate of occurrence, and SLE is the single loss expectancy. However, in the real world, we find that rates of occurrence and even single loss expectancies are hard to calculate and ascertain. This situation leads to the soft measuring of risk. Soft (or casual) risk is measured as high, medium or low, and it can be all over the board. Awareness and experience in the organization and the as it is delivered model driven by the organizations circumstances allows us to better understand this soft risk says Jerry Pittman. It is important to partner with your organization, as Greg Schaffer suggests: Walking through scenarios and helping people understand is an important element of risk understanding for the business. Resources Several resources to identify, quantify, measure and mitigate risk were identified by the CISOs we spoke with. Those that were universally held in high regard included:

ALE at ISACA: http://www.isaca.org/Journal/Past-Issues/2003/Volume-2/Pages/Risk-Assessment-Tools-A-Primer.aspx

CISO Perspectives Todays Risk | 3

 ISACAs (previously known as the Information Systems Audit and Control Association) CoBIT4; ISOs 27000 and 31000 series of documents; The US National Institute of Standards and Technologys (NIST) Special Publications (SP) documents, and in particular the 800 series5; And the Cloud Security Alliances (CSA) efforts, in particular the Security, Trust & Assurance Registry (STAR). Understanding the frameworks, including their specific orientation and strengths, as well as the differences between frameworks, is very important. For more CISO Perspectives, visit http://aka.ms/cisoperspectives

Trustworthy Computing Next 2013 Microsoft Corp. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. Licensed under Creative Commons Attribution-Non Commercial-Share Alike 3.0 Unported

COBIT 5: A Business Framework for the Governance and Management of Enterprise IT

National Institute of Standards and Technology, Information Technology Laboratory, Computer Security Division, Special Publications (800 series)

4 | CISO Perspectives: Todays Risk