The 7 July meeting of the CW500 Club where business risk management was discussed.
The Royal Mail has been in involved in business risk management for about 10 years, during which time it has tried every risk management method that has ever been dreamt up. Its director of security and risk management, David Lacey talks about operational management and security from behind the firewall.
The Royal Mail has a highly mature information security management system. It boasts the largest BS7799 certification in the world, extending to 8,000 staff in 500 buildings. BS7799 is a standard specification for an information security management system.
The company has many optimised processes, demonstrated by low rates of security incidents, low security transaction rates at the helpdesks - with password resets at rates of less than 7%. It also has relatively low maintenance costs, all with what it claims is one of the smallest, most effective and highly qualified security teams in industry.
However, Lacey warns that "the art or science of risk management remains immature".
Why do security and risk management?
To prevent the cost of incidents and fraud and to meet regulatory compliance are the main reasons for implementing risk management. Businesses should protect expensive assets, customer data and corporate reputation.
However, it is more than protection and prevention. “New business opportunities or product sells is not a major driver. We only do security because we are forced to - there is little business pull,” Lacey says. “What needs protecting is constantly evolving, from tangible to intangible.”
"Intellectual assets and softer issues such as reputation, brand value, shareholder value, legal liability and so on, are much more subjective and harder to pin down and measure - we need smarter approaches to these," says Lacey.
"The threat to our infrastructure is also constantly evolving, not in linear but in step or exponential changes - traditional forecasting techniques don't work against determined, agile attackers who keep raising their game to stay one step ahead of your defences. You need to think in terms of game theory."
How should you go about security and risk management?
Lacey identifies three approaches:
This approach is based on risk assessment methodologies which assesses all the risks and then selects a set of controls that appears to reduce the risk to an acceptable level.
Despite being thorough, it can be expensive and time-consuming and could generate inconsistencies.
"You can do this method by asking open questions such as, 'What are the crown jewels of our business?' or you can employ ornate frameworks based on multiple, pre-defined categories and weighted point scores," says Lacey.
However, complex blackbox methodologies often produce strange, non-intuitive results that need a large dose of common sense checking. Businesses should treat risk assessment methods as decision support, not decision-making tools.
Introducing the complexity of risk management assessment into project development, rather than apply it afterwards, will ensure that the business engages with risk management.
However, Lacey warns, "You can't guarantee that the risk profile will be maintained beyond the implementation stage."
"You can also address the risks associated with a business process or value chain, which is highly effective to gain a top down perspective of risk, but often lacks the fine detail needed to address the risks at the level of an individual asset or system."
For maximum effectiveness you need to combine all methods of risk assessment, says Lacey.
This is a more prescriptive, compliance-based approach for "well understood problem areas that share common risks and operating practices", such as BS7799.
A key advantage of BS7799 is that it is a code of practice and is applicable to all organisations, independent of size or sector.
“However, there is a danger of setting the bar too high by cherry picking individual best practices to form an overall set that no one can achieve, or, conversely, set the bar at the lowest common denominator."
This method of selecting security controls by setting minimum standards based on classifications will become "increasingly important in the future", says Lacey.
"Put a label on something, and the label determines the security action to take. It is popular in government security circles, where national authorities like to lay down minimum requirements to protect their secrets."
Classification is a powerful but dangerous method, however, because of the inflexibility and the expense of compliance.
It is perhaps the only means of ensuring guaranteed levels of protection across a large, diverse community such as an extended enterprise business-to-business community, which is very much the future business environment, he says.
Businesses will need to agree common classifications and rules for data, systems and users that operate across organisational boundaries.
In sum, no single approach is right or wrong and blending these three approaches will offer something at different times and for specific problems.
What is critical is that security "must be done strategically and in planned phases", says Lacey.
There are four reasons for this.
- It costs money to introduce changes, so they need to be carefully scheduled to get the optimum effect.
- It takes time to develop and then for business to absorb optimal solutions. So introduce controls progressively, enlarging their range and reach with each iteration.
- Problems are always changing and evolving, so quick fixes may not be the best answer for the medium and longer term.
- We don't have all the solutions or skilled resources to solve the problem. It takes time to develop sound enterprise solutions and build an effective team to deliver them.
Creating a skilled, professional security team is crucial - especially now that regulatory compliance increasing.
"Five years ago when I joined the Post Office I pulled most of the external consultancy budget and invested it in professional development for our own security managers," says Lacey.
"That was one of the best decisions I ever made. I now have a fully trained, highly effective and loyal security team."
So convinced is Lacey of the need for such professional development, he is now working with Prof Fred Piper of Royal Holloway and Paul Dorey of BP to establish a profession for information security.
Developing secure IT systems in the first place is critical, and the skill to do so should be part of tertiary - and possibly even secondary - IT education, says Lacey.
"I also believe that all systems integrators should be ensuring that their development staff are fully streetwise when it comes to security," says Lacey. "If I can identify a suitable [security awareness and skills] standard for our own suppliers then I'll mandate it, especially for our e-business applications."
But the final constituency that needs to be security-alert is the user community - both inside and outside the formal boundaries of an organisation.
"Education is where we get the security incidents and the costs down," he says. "But it is important to engage society in a properly balanced debate about the impact of new technologies on their lives, and to that end we need more of the likes of the recent Royal Society public consultation exercise on cyber trust and information security, in order to get the public policy right."
The next 10 years will see major developments that will have critical impact on the whole area of security and risk management.
"The 'network effect' of the internet - as presaged by the positive feedback growth loop created by, for example, e-Bay - will be the information age's equivalent to the industrial revolution's factory," says Lacey.
“When you have millions of un-tethered objects interacting across networks, the outcome is highly uncertain - we are therefore moving from a deterministic approach to IT towards a probabilistic one.
“This will make obsolete our current approach to security and IT management, all of which is based on deterministic controls such as standardisation, directories, predefined builds, filters and signature scans,” he says.
"These will fail to scale to meet our needs as the true power of the network kicks in," which will cause "two major paradigm shifts over the next decade".
The first is what Lacey calls "de-perimeterisation" - the inevitable, progressive breakdown of the managed network perimeter.
"We can see it happening now, but it's not yet become critical, and it means that security will have to move from the infrastructure level to the data level. This creates a number of difficult problems, all of which are solvable with current science, but not without massive co-operation between organisations - we need to agree a common security language and a consistent set of standards."
"That is why a group of 40 top user organisations have formed the Jericho Forum, to develop just such a common set of security solutions for a de-perimeterised world."
The second paradigm shift that Lacey foresees is more subtle.
"The next-generation of security solutions - those designed to enable de-perimeterisation - will eventually fail to scale to meet the challenges of the embedded internet, a world in which everyday objects are fully connected and can interact with any passing user."
The shift will lead to "a world of pervasive surveillance opportunities enhanced by the proliferating data wakes left by users".
"This type of data cannot readily be protected from undesirable access without destroying the utility of the technology - and it can be mined for espionage or fraud, or for security. I envisage a continuing battle of intelligent monitoring systems to manage or exploit the data on individuals."
Even before this "spy versus spy" world arrives, "around 2006 several major trends will simultaneously peak or mature, creating a step change in our risk profile."
"Things such as serious e-commerce and e-government, the breakdown of true perimeter security and the emergence of true cyber terrorism mean that we will all need to raise our game to survive."
"We need to look outwards, think forward and act strategically to develop the truly effective and long-lasting operational risk frameworks we need to survive the coming decade."