Sunday, October 2, 2005

Risk

Another rambling post...

I've been reading various presentations and papers from recent conferences. Couple that with my recent knighting as a CISSP (yeah, last year I couldn't spell CISSP, now I is one) (don't ask me to say anything nice about it) and I have a schizophrenic thought: there's a difference between a business's view of security and a practitioner's view of security.

The business view of security is, and always will be, a money-based decision. Various certifications teach that risk involves a hole (the vulnerability), the likelihood that it'll be exploited (the threat) and the expected cost of reparations in the event that the vulnerability is exploited. Various pseudo-mathematical formulas have been generated to justify what is usually an already-made decision.

Purists will be offended that I've said that but, in reality, most business operate somewhere to the left of the ideals taught by various certification organizations. In other words, most small businesses still don't (and won't) comply with SarbOx, GLB, HIPAA and/or FISMA. They either cannot afford to comply or they would just like to maintain their profit margins. (Maybe it was a formal business decision: risk of getting caught = not maintain protections or records X likelihood of discovery X possible fines?)

One thing that has irked me ever since someone tried to convince me of the correctness of tieing asset cost to the risk formula: the missing business costs.

Think of it this way: you have web server. You've made the "business decision" that a specific level of risk is acceptable and that you can tolerate four incidents per year before your business suffers excessive damages. (Remember, the cost of the protections must be less than the recovery costs.) What's missing? How about people?

If I'm your system administrator, I'll probably enjoy the overtime pay. The first time. If it's a recurring event, it's going to affect my personal life and I'm going to want a raise plus better overtime pay to counter-balance the loss of my personal life. That or I'm likely to be going to job interviews during my off-time. (Hint: Using "flex time" to keep me on a 40-hour per week timetable adds insult to injury.)

If I'm your customer, it's likely that my business depends on your business. I'm likely to leave after the first incident, especially if it's spectacular enough.

If I'm your investor, I'm not going to like that my profits go to your system administrators' overtime or that your customer base is shrinking. I think you'll find that your stock price drops at an "interesting" rate.

On the flip side, the practioner's view is usually just as narrow. System and network administrators often get so caught up in "fighting the threat" that they spend inordinate amounts of time "doing security" and allowing operations to suffer. They might spend so much time "locking things down" that the network becomes rigid and inflexible, unable to quickly adapt to sudden changes in business requirements. There's also a common belief that the operations/security budget is too small, regardless of its size.

It's this dichotomy in security "views" that perpetuates the resentment between business (AKA "the suits") and operations (AKA "the nerds"). Unfortunately, I don't have a fix for this. I'm just noting that the condition exists.

Apologies for the incomplete rambling. I'm still trying to flesh out this argument elsewhere for future "at length" use. The argument currently is skewed as I "came up" from the sysadmin side of the house. Comments/thoughts?