David Lacey explains the need to look outwards, think forward and act strategically
The Royal Mail, says its director of security and risk management David Lacey, "has a highly mature - in the Carnegie Mellon sense - information security management system".
"We've also been doing business risk management for around 10 years, during which we've tried out just about every method that's been dreamt up. Bottom-up, top-down, gross risk, net risk, free-form, categorised, simple, complex, vital few controls – we've tried them all.
"We probably have the largest BS7799 certification in the world, extending to 8,000 staff in 500 buildings. We also have many optimised processes, demonstrated by low rates of security incidents, low security transaction rates at our helpdesks – our password resets, for example, are under 7% – and relatively low maintenance costs, all with one of the smallest, most effective and highest qualified security teams in industry."
But for all that experience, warns Lacey, across all organisations, "in my view the art or science of risk management remains very immature".
To get a handle on risk management, Lacey outlines the key questions to address.
Why do security and risk management?
To protect expensive assets, customer data and corporate reputation, to prevent the cost of incidents and fraud, and to meet regulatory compliance. But it is more than protection and prevention. "We can enable new business opportunities or sell more products through better security," he says, "but I admit these are not, today, a major driver. We really only do security because we're forced to – there is little business pull."
What needs protecting, too, is constantly evolving, from tangible to intangible.
"Intellectual assets and softer issues such as reputation, brand value, shareholder value, legal liability and so on are much more subjective and harder to pin down and measure – we need smarter approaches to these," says Lacey.
"Even the natures of some of our physical assets are becoming more abstract," he warns. "Try analysing the topographic characteristics of a modern, scale-free network – hub and spoke – which doesn't respond to traditional methods for measuring quality and risk, but need a more sophisticated, non-deterministic, probabilistic approach.
"The threat to our infrastructure is also constantly evolving, not in linear but in step or exponential changes. Traditional forecasting techniques don't work against determined, agile attackers who keep raising their game to stay one step ahead of your defences. You need to think in terms of game theory."
How should you go about security and risk management?
Lacey identifies three approaches:
Hand-crafted: This is based on risk assessment methodologies. "You assess all the possible risks, and then select a set of controls that appears to reduce the risk to an acceptable level. It's thorough and educational for all involved but can be expensive and time-consuming. And it can generate inconsistencies and expensive diversity across your organisation.
"You can adopt this method by asking open questions such as 'What are the crown jewels of our business?', or you can employ very ornate frameworks based on multiple, predefined categories and weighted point scores.
"However, there's a long history of designing very complex, blackbox methodologies that often produce strange, non-intuitive results that need a large dose of commonsense checking. The key point is that you should treat risk assessment methods as decision support, not decision-making tools."
A key reason to take the simple route is "the importance of engaging the business with risk management. You need to hide the complexity of risk management from the business, or introduce it gradually, or you won't take business people with you."
You should also, advises Lacey, build risk assessment into project development, rather than apply it afterwards. But he warns, "You can't guarantee that the risk profile will be maintained beyond the implementation stage."
"You can also address the risks associated with a business process or value chain - which is highly effective to gain a top down perspective of risk, but often lacks the fine detail needed to address the risks at the level of an individual asset or system."
For maximum effectiveness you need to combine all methods of risk assessment.
Compliance baseline: This is a more prescriptive, compliance-based approach, such as BS7799, which is fine, says Lacey, for well-understood problems areas that share common risks and operating practices.
A key advantage of BS7799, Lacey points out, is that it is a code of practice and applicable to all organisations, independent of size or sector. But, he warns, "There is a danger of setting the bar too high by cherry-picking individual best practices to form an overall set that no one can achieve, or, conversely, set the bar at the lowest common denominator."
Classifications: This method of selecting security controls by setting minimum standards based on classifications will become increasingly important in the future, according to Lacey.
"Put a label on something and the label determines the security action to take. It's very popular in government security circles, where national authorities like to lay down minimum requirements to protect their secrets."
“It's powerful but dangerous because of the inflexibility and the expense of compliance. It is perhaps the only means of ensuring guaranteed levels of protection across a large, diverse community such as an extended enterprise business-to-business community, which is very much the future business environment.
"Very soon you will need to agree common classifications and rules for data, systems and users that operate across organisational boundaries."
In sum, no single approach is right or wrong.
"In practice we tend to use a blend of these three approaches which all offer something at different times and for specific problems," he says.
What is critical, however, is that security must be done strategically and in planned phases, for four reasons:
- It costs money to introduce changes, so they need to be carefully scheduled to get the optimum effect
- It takes time to develop and then for business to absorb optimal solutions. Introduce controls progressively, enlarging their range and reach with each iteration
- The problems are always changing and evolving, so quick fixes may not be the best answer for the medium and longer term
- We don't have all the solutions or skilled resources to solve the problem. It takes time to develop sound enterprise solutions and build an effective team to deliver them.
Creating a skilled, professional security team is crucial, argues Lacey, especially now that regulatory compliance is increasing.
"Five years ago when I joined the Post Office I pulled most of the external consultancy budget and invested it in professional development for our own security managers.
"That was one of the best decisions I ever made. I now have a full y trained, highly effective and very loyal security team."
So convinced is Lacey of the need for such professional development, that he's working with academics and business IT professionals to establish a profession for information security.
Also critical is the need to develop secure IT systems in the first place, and the skill to do so should, says Lacey, be part of tertiary – and possibly even secondary – IT education.
"All systems integrators should be ensuring that their development staff are fully streetwise when it comes to security," says Lacy. "If I can identify a suitable security awareness and skills standard for our own suppliers then I'll mandate it, especially for our e-business applications."
But the final constituency that needs to be security-alert is the user community, both inside and outside the formal boundaries of an organisation.
"Education is where we get the security incidents and the costs down. But it's important to engage society in a properly balanced debate about the impact of new technologies on their lives, and to that end we need more of the likes of the recent Royal Society public consultation exercise on cybertrust and information security in order to get the public policy right."
As a self-avowed enthusiast for all things futuristic Lacey believes the next 10 years will see major developments that will have critical impact on the whole area of security and risk management.
"The 'network effect' of the internet – as presaged by the positive feedback growth loop created by, for example, eBay – will be the information age's equivalent to the industrial revolution's factory.
"When you have millions of untethered objects interacting across networks, the outcome is highly uncertain. We are moving from a deterministic approach to IT towards a probabilistic one, and this will make obsolete our current approach to security and IT management, all of which is based on deterministic controls such as standardisation, directories, predefined builds, filters and signature scans.
"These will fail to scale to meet our needs as the true power of the network kicks in."
It will, he says, cause two major paradigm shifts over the next decade.
The first is what he calls deperimeterisation – the inevitable, progressive breakdown of the managed network perimeter.
"We can see it happening now, but it's not yet become critical, and it means that security will have to move from the infrastructure level to the data level. This creates a number of very difficult problems, all of which are soluble with current science, but not without massive cooperation between organisations. We need to agree a common security language and a consistent set of standards.
"That's why a group of 40 top user organisations have formed the Jericho Forum to develop just such a common set of security solutions for a deperimeterised world."
The second paradigm shift that Lacey foresees is more subtle.
"The next generation of security solutions – those designed to enable deperimeterisation – will eventually fail to scale to meet the challenges of the embedded internet, a world in which everyday objects are fully connected and can interact with any passing user.
"The shift will lead to a world of pervasive surveillance opportunities enhanced by the proliferating data wakes left by users.
"This type of data cannot readily be protected from undesirable access without destroying the utility of the technology - and it can be mined for espionage or fraud, or for security. I envisage a continuing battle of intelligent monitoring systems to manage or exploit the data on individuals."
Even before this spy versus spy world arrives, Lacey warns that around 2006 several major trends will simultaneously peak or mature, creating a step change in our risk profile.
"Things like serious e-commerce and e-government, the breakdown of true perimeter security and the emergence of true cyberterrorism mean that we will all need to raise our game to survive.
"We need to look outwards, think forward and act strategically in order to develop the truly effective and long-lasting operational risk frameworks we need to survive the coming decade."
David Lacey is director of security and risk management at Royal Mail