RealTime IT News

Use Risk Management to Make Security Proactive

IT departments know that they need to modernize, but a fundamental cultural change requires leadership from the top of the org chart, said one consultant and author.

"This is not just information security," John Pironti, president of IP Architects, told InternetNews.com. "This is true business alignment." Pironti will be giving a speech on the subject, called "Information Security 2.0: Transforming Information Security to Information Risk Management," this week at the ISACA International Conference.

"Security has to start at the top," he said. The board of directors of the company decides where the risks lie. The IT manager becomes the Chief Information Security Officer (CISO), reporting to the CIO and also to the board.

"Most security people don't understand risk -- they understand threats," Pironti said. "Threats are just one input into the risk equation. Others come from operations, strategy, and marketing.

"Where does the business find value? Most executives are more worried about availability than security," he added. "Organizations will sometimes leave systems up if they're compromised because availability wins. You don't need security if you can't have availability."

Pironti explained that he's not arguing for less security. In some cases, less security may make sense. "If it's marketing data that I give away at trade shows and I want people to have it, then go ahead and sniff away on the network." Instead, he argues for more appropriate and effective security. "I'm arguing for a meaningful analysis of security needs based on conversations, deployed in areas with a high threat likelihood and a high impact to the business if a threat occurred. The many controls now in place may not make sense."

For example, Pironti said that many datacenters have bulletproof glass even in non-military environments where a frontal assault on the datacenter is not expected.

"If we have other filters, do we still need a stateful inspection firewall? It's still required by standards. Heartland is doing end to end encryption. Ironically, it can take away the ability to do network protection by disabling the ability to inspect traffic. So when you implement security, you need to think about what threat you are worrying about."

Pironti said that compliance standards are threat-based, not risk-based, and can be an obstacle to changing the IT mindset. "My biggest fear is security by compliance. It's spending all your time thinking about an audit and none thinking about what's important to you. The PCI conversation is outdated in my mind. PCI is a baseline and I think we need to move beyond it."

He added that the FTC's Red Flags Rule was manipulated by lobbyists so that the banks could meet the standard immediately.

Even Heartland, which suffered a real breach, should think about costs as it implements stronger security. "Heartland was off the PCI lists for two months. It was fined $7 million to $12 million. Senior business leaders know that they can mitigate that risk with insurance. Why buy $14 million of controls when instead you can buy less and also buy insurance?"