Tuesday, October 28, 2008

Framework for Realistically Addressing IT Risk (Security Issues)

Better security is often the result of a poorly-timed disaster... -me
Man is an impulsive creature... We tend to try and solve problems before we fully understand their nature.

Once you accept that as truth, you can begin to realize why tIT Security and Risk Management is in such a sorry state, and why we're perpetually bailing water from a sinking ship. Risk is a difficult concept to understand, I get that; it took me arguably 8 years into my IT career to fully grasp that risk is a "gray" area and never binary. For many "IT Security" practitioners I've worked with over the years this is where things go south.

After thinking about the causes for poor risk mitigation and security practices in today's business world, I've channeled my efforts to developing a way lay out the problem-solving process in a way that makes sense, and can get us closer to the zero-horizon than we've previously been able to come to. Here's what I have been able to come up with... keep in mind it's still a work-in-progress but I'm putting it out there so as to solicit responses and maybe help me refine this process. Think of it as a ... practical guide to security/risk problems.

These are the steps that I feel one (or many) should go through to resolve any clear and present danger facing an IT Security/Risk group...

  1. Admit there is a problem - Take your head out of the sand, admit there are issues that need to be addressed and begin to try and gather the "big picture" around the existence of these issues. Just admitting there is a problem is the first step, but often the hardest.
  2. Implement a tactical stop-gap - Stop the bleeding; forget trying to wrap your head fully around the problem... just find a way to stop the bleeding short-term while you work to resolve long-term.
  3. Understand the nature of the problem - Now that you've got the wound triaged, look deeper and wider into the actual nature of the issue. Look beyond IT, "think outside the box", ask for other input from people who may have a different perspective.
  4. Admit the resultant risk will never be zero (full resolution) - You will never bring the risk equation all the way down to zero; never going to happen. I think it's paramount that those attempting to mitigate the risk understand this.
  5. Resolve to work towards a realistic strategic solution - Forget the perfect Utopia-like resolution where everything is perfect (see step 4)... set realistic goals for mitigation, and resolve to get there in a sane manner. Put this on paper, tack it somewhere everyone will see it.
  6. Provide real effort to resolve the problem holistically - In order to resolve a problem dealing with real-world risks, real-world efforts must be made. Think beyond your walls, identify all possible permutations of this risk and provide effort to resolve this holistic problem. This costs time, money, and resources. Be prepared for those costs, allocate them in advance or you'll doom yourself to fail.
  7. Implement the strategic resolution in good-faith - Once there is a resolution it'll take real effort (see #6) by your business to implement this resolution. Make sure you have solid backing from the business... not just IT.
  8. Continue to provide feedback for the future - Risk is never solved with a point-in-time approach. Risk evolves, morphs, and changes the rules just when you think you're safe. You must continue to re-visit to make sure yesterday's strategic resolution still works today.

There you have it. Hopefully this ground-work will help build a more solid foundation for risk-related problem solving.

I welcome your input, feedback, criticism and everything else you may have.
Just be constructive.

No comments: