Director, Information Security
Peter Gregory is a director in Optiv's Office of the CISO. He is a leading security technologist and strategist with a long professional history of advancing security technology, compliance and risk management at all levels of corporate culture. He has published more than 40 books and authored more than 30 articles for leading trade publications in print and online.
What Makes Organizations Resilient and Why You Should Care
Information systems are inherently fragile. Operating systems and applications are very complex machinery, and considering how many changes (such as security patches and feature upgrades) are made, it should not be surprising to see how unstable they can be at times. The recent outage trifecta (United Airlines, New York Stock Exchange and the Wall Street Journal all suffering significant outages on the same day) is just a recent example.
From a security perspective, organizations that are effectively resilient employ security controls based on the actual risk of breach, not based on emotion or the attractiveness of shiny objects. And from a reliability perspective, mature organizations have formal IT service management processes that govern all aspects of IT development and operations.
Mature organizations employ risk management processes that employ multiple sources of risk and threat data – information that is obtained externally from threat intelligence vendors, as well as internal vulnerability information. These risk management processes have repeatable outcomes in terms of classifying and ranking risk, rather than solely based on gut instinct or emotion, as is common today.
Most of these same mature organizations have implemented modern IT management processes, whether ITIL (IT Infrastructure Library), ISO 20000 or Dev Ops. These frameworks include processes including change management, configuration management, capacity management and incident management. IT organizations using these processes experience fewer instances of unscheduled downtime
Frankly, few organizations are doing good, repeatable, risk management. Too many CISOs are instead attracted by the latest tools, without regard to whether these tools are the most effective ways to reduce risk in any particular organization.
Without an effective risk management process, organizations are buying security tools based on FUD (fear, uncertainty and doubt) that is sometimes conveyed by vendors. Organizations are also purchasing tools because their counterparts in other organizations implemented those same tools. A risk management process takes the emotion out of the decision-making process to purchase tools or services.
Recently, a CISO for a major city told me, “We buy shiny objects.” The impression I was given was that it was a cry for help, like someone with an addiction who confessed it as a way of asking for help to be free of it. Sadly, most organizations are buying security solutions without a solid basis in risk management, and few realize that this glaring deficiency should be considered a bigger defect than any technical vulnerability in its IT infrastructure.
So what can be done? You should conduct a risk assessment to determine where the biggest risks are. Further risk analysis will point to viable solutions. Find a trusted, competent security partner organization to conduct the risk assessment. A trusted partner will be objective and act on the client’s best interests at heart.
Organizations with sufficient resources can even build their own risk management program and do many of their own risk assessments. But even then, getting an objective opinion provides added value.