The 7 July meeting of the CW500 Club where business risk
management was discussed.
The Royal Mail has been in involved in business risk management
for about 10 years, during which time it has tried every risk
management method that has ever been dreamt up. Its director of
security and risk management, David Lacey talks about operational
management and security from behind the firewall.
The Royal Mail has a highly mature information security
management system. It boasts the largest BS7799 certification in
the world, extending to 8,000 staff in 500 buildings. BS7799 is a
standard specification for an information security management
system.
The company has many optimised processes, demonstrated by low
rates of security incidents, low security transaction rates at the
helpdesks - with password resets at rates of less than 7%. It also
has relatively low maintenance costs, all with what it claims is
one of the smallest, most effective and highly qualified security
teams in industry.
However, Lacey warns that "the art or science of risk management
remains immature".
Why do security and risk management?
To prevent the cost of incidents and fraud and to meet
regulatory compliance are the main reasons for implementing risk
management. Businesses should protect expensive assets, customer
data and corporate reputation.
However, it is more than protection and prevention. “New
business opportunities or product sells is not a major driver. We
only do security because we are forced to - there is little
business pull,” Lacey says. “What needs protecting is constantly
evolving, from tangible to intangible.”
"Intellectual assets and softer issues such as reputation, brand
value, shareholder value, legal liability and so on, are much more
subjective and harder to pin down and measure - we need smarter
approaches to these," says Lacey.
"The threat to our infrastructure is also constantly evolving,
not in linear but in step or exponential changes - traditional
forecasting techniques don't work against determined, agile
attackers who keep raising their game to stay one step ahead of
your defences. You need to think in terms of game theory."
How should you go about security and risk management?
Lacey identifies three approaches:
Hand-crafted
This approach is based on risk assessment methodologies which
assesses all the risks and then selects a set of controls that
appears to reduce the risk to an acceptable level.
Despite being thorough, it can be expensive and time-consuming
and could generate inconsistencies.
"You can do this method by asking open questions such as, 'What
are the crown jewels of our business?' or you can employ ornate
frameworks based on multiple, pre-defined categories and weighted
point scores," says Lacey.
However, complex blackbox methodologies often produce strange,
non-intuitive results that need a large dose of common sense
checking. Businesses should treat risk assessment methods as
decision support, not decision-making tools.
Introducing the complexity of risk management assessment into
project development, rather than apply it afterwards, will ensure
that the business engages with risk management.
However, Lacey warns, "You can't guarantee that the risk profile
will be maintained beyond the implementation stage."
"You can also address the risks associated with a business
process or value chain, which is highly effective to gain a top
down perspective of risk, but often lacks the fine detail needed to
address the risks at the level of an individual asset or
system."
For maximum effectiveness you need to combine all methods of
risk assessment, says Lacey.
Compliance baseline
This is a more prescriptive, compliance-based approach for "well
understood problem areas that share common risks and operating
practices", such as BS7799.
A key advantage of BS7799 is that it is a code of practice and
is applicable to all organisations, independent of size or
sector.
“However, there is a danger of setting the bar too high by
cherry picking individual best practices to form an overall set
that no one can achieve, or, conversely, set the bar at the lowest
common denominator."
Classifications
This method of selecting security controls by setting minimum
standards based on classifications will become "increasingly
important in the future", says Lacey.
"Put a label on something, and the label determines the security
action to take. It is popular in government security circles, where
national authorities like to lay down minimum requirements to
protect their secrets."
Classification is a powerful but dangerous method, however,
because of the inflexibility and the expense of compliance.
It is perhaps the only means of ensuring guaranteed levels of
protection across a large, diverse community such as an extended
enterprise business-to-business community, which is very much the
future business environment, he says.
Businesses will need to agree common classifications and rules
for data, systems and users that operate across organisational
boundaries.
In sum, no single approach is right or wrong and blending these
three approaches will offer something at different times and for
specific problems.
What is critical is that security "must be done strategically
and in planned phases", says Lacey.
There are four reasons for this.
- It costs money to introduce changes, so they need to be
carefully scheduled to get the optimum effect.
- It takes time to develop and then for business to absorb
optimal solutions. So introduce controls progressively, enlarging
their range and reach with each iteration.
- Problems are always changing and evolving, so quick fixes may
not be the best answer for the medium and longer term.
- We don't have all the solutions or skilled resources to solve
the problem. It takes time to develop sound enterprise solutions
and build an effective team to deliver them.
Creating a skilled, professional security team is crucial -
especially now that regulatory compliance increasing.
"Five years ago when I joined the Post Office I pulled most of
the external consultancy budget and invested it in professional
development for our own security managers," says Lacey.
"That was one of the best decisions I ever made. I now have a
fully trained, highly effective and loyal security team."
So convinced is Lacey of the need for such professional
development, he is now working with Prof Fred Piper of Royal
Holloway and Paul Dorey of BP to establish a profession for
information security.
Developing secure IT systems in the first place is critical, and
the skill to do so should be part of tertiary - and possibly even
secondary - IT education, says Lacey.
"I also believe that all systems integrators should be ensuring
that their development staff are fully streetwise when it comes to
security," says Lacey. "If I can identify a suitable [security
awareness and skills] standard for our own suppliers then I'll
mandate it, especially for our e-business applications."
But the final constituency that needs to be security-alert is
the user community - both inside and outside the formal boundaries
of an organisation.
"Education is where we get the security incidents and the costs
down," he says. "But it is important to engage society in a
properly balanced debate about the impact of new technologies on
their lives, and to that end we need more of the likes of the
recent Royal Society public consultation exercise on cyber trust
and information security, in order to get the public policy
right."
The next 10 years will see major developments that will have
critical impact on the whole area of security and risk
management.
"The 'network effect' of the internet - as presaged by the
positive feedback growth loop created by, for example, e-Bay - will
be the information age's equivalent to the industrial revolution's
factory," says Lacey.
“When you have millions of un-tethered objects interacting
across networks, the outcome is highly uncertain - we are therefore
moving from a deterministic approach to IT towards a probabilistic
one.
“This will make obsolete our current approach to security and IT
management, all of which is based on deterministic controls such as
standardisation, directories, predefined builds, filters and
signature scans,” he says.
"These will fail to scale to meet our needs as the true power of
the network kicks in," which will cause "two major paradigm shifts
over the next decade".
The first is what Lacey calls "de-perimeterisation" - the
inevitable, progressive breakdown of the managed network
perimeter.
"We can see it happening now, but it's not yet become critical,
and it means that security will have to move from the
infrastructure level to the data level. This creates a number of
difficult problems, all of which are solvable with current science,
but not without massive co-operation between organisations - we
need to agree a common security language and a consistent set of
standards."
"That is why a group of 40 top user organisations have formed
the Jericho Forum, to develop just such a common set of security
solutions for a de-perimeterised world."
The second paradigm shift that Lacey foresees is more
subtle.
"The next-generation of security solutions - those designed to
enable de-perimeterisation - will eventually fail to scale to meet
the challenges of the embedded internet, a world in which everyday
objects are fully connected and can interact with any passing
user."
The shift will lead to "a world of pervasive surveillance
opportunities enhanced by the proliferating data wakes left by
users".
"This type of data cannot readily be protected from undesirable
access without destroying the utility of the technology - and it
can be mined for espionage or fraud, or for security. I envisage a
continuing battle of intelligent monitoring systems to manage or
exploit the data on individuals."
Even before this "spy versus spy" world arrives, "around 2006
several major trends will simultaneously peak or mature, creating a
step change in our risk profile."
"Things such as serious e-commerce and e-government, the
breakdown of true perimeter security and the emergence of true
cyber terrorism mean that we will all need to raise our game to
survive."
"We need to look outwards, think forward and act strategically
to develop the truly effective and long-lasting operational risk
frameworks we need to survive the coming decade."