Risky risk assessments

14 May, 2018

By Koen Maris,
Chief Technology Officer – Cyber Security at Atos

Security has never been the most favorite topic during management meetings. Most often, the question was: can we justify the limited budget for security investments, given the most recent risk assessment? But what if I told you that these assessments are most often based on completely wrong assumptions and incorrect data?

A little while ago, I wrote about the need to rethink security thoroughly (click here to read the article). The main conclusion of this blog, however, may not sit well with the boardroom: it implies that the proactive approach should not replace the reactive, but rather complement it. This means extra budget, obviously – an unwelcome message from any department but possibly even more so when coming from the security department.

Budgets rarely reach security at the beginning of the spend. Information security mostly comes at the end, when all requests are fulfilled and someone smart in the room points out that security is something the organization might have to consider. When faced with this harsh reality, the next challenge is to spend as little as possible and to still feel good about the state of security. A rather deceptive feeling in most cases, but the painful truth for many organizations. Meantime, security has finally reached the list of top priorities in many boardrooms. but sadly it hasn’t reached the list of priority investments. Very often this is due to a completely misguided risk assessment which may lead to tragedies in the long run.

Everyone in a board room understands risk to some extent. When talking risk, it is common practice to perform a risk assessment on the new project. The biggest problem, however, is that these assessments are based on incorrect data. Let’s just assume that all known breaches in other organizations and the known consequences of these breaches are taken into account when calculating the risk. Then we’re still overlooking the obvious: that many companies never share that they have experienced a breach, or they minimize the damage caused by the breach.

There’s no individual risk in a connected world

Consequently, all too often the conclusion is: “the risk is too low to justify huge investments”. A conclusion that is not only false because based on false data. It also start from the wrong assumption. The question should not be “how likely is it that we will get hit?” but rather “how long will it take before we get hit?” On top of that, companies tend to look at individual risks, in a world where everything is connected. One individual risk that seems small could become the next Pandora’s Box when this materializes into a real attack.

Of course, you cannot prevent every single attack. And of course no organization can afford spending huge percentages of their budget to making the infrastructure completely risk-proof. But I’m not talking hyper complicated attack scenarios that happen on a rare occasion or sophisticated targeted attacks. But they could at least start with the obvious, such as applying patches in due time. Because that is what #Wannacry has taught us. No company should have suffered from that ransomware, if they had applied the available patches in due time. Somehow companies managed to block those updates. I wonder how that passed any qualitative or quantitative risk assessment: the costs of patching are low in comparison with the havoc a successful attack might cause.

#Wannacry and GDPR: seucrity officers’ best allies

The quest for a safer ICT environment is indeed almost as hard as for the Holy Grail. But this does not mean we should abandon it or even diminish our efforts. With each new serious security incident, #Wannacry being the most recent obvious example, the security officer may get some nasty looks. But when you play it right, this incident may also serve as an element in your favor when the next risk assessment takes place. The notification obligation enforced by the GDPR may be the security officer’s next ally in obtaining the necessary management support for security investments. The more incidents are exposed, the more organizations will understand that the risk of getting hit is a lot higher than they realized, when the previous security budget was set.

More about Koen Maris:

LinkedIn | Twitter