SAN FRANCISCO–Measuring risk is one of the more difficult tasks that enterprise GRC teams face, as risk itself is a notoriously difficult thing to actually define and pin down. But perhaps fixing the fixable problems that contribute to risk, rather than measuring risk in absolute terms, should be the goal.
The concept of risk is a nebulous one, particularly as it’s typically applied to enterprise security. It can mean different things in different organizations, and different things to different people inside a given organization. And roles matter quite a bit when it comes to why people may want to measure risk and how they think about it. Security teams usually are interested in what kind of risk a given vulnerability or incident presents, and trying to mitigate and change that. CISOs might be more interested in measuring risk for the purpose of communicating it to the CEO and board of directors, because that’s where the money comes from. And the board may just want to compare a risk score from one quarter to the next to see whether things are improving.
“Lots of people want to measure risk, everyone from the CISO, who has to report up to the board, to the vendors, to the security teams,” Andy Ellis, former CSO at Akamai, said during a talk on the difficulty of measuring risk at the RSA Conference here last week. “And they all have different reasons for wanting to do that. The board mostly just wants to compare, the CISO wants to communicate, and the security teams and security vendors want you to change.”
But how much of the data and information that these various constituencies rely on is actually useful? It’s difficult to know. Security products are great at gathering, aggregating, and displaying information in dashboards and charts and heat maps. But without context, that information isn’t of much use. Knowing which vulnerabilities and other problems matter the most to your specific organization is what makes a difference, especially in a larger organization that might have hundreds of issues to address at any given time. Is this a rare but potentially critical issue or is it a common but less interesting problem?
“At the end of the day you are making up these numbers. You don’t have any data that fixing very rare problems matters. No company that isn’t selling risk services actually cares about the score of a risk. The goal is comparison,” Ellis said.
“Tell your teams to pick a problem and go fix it. I don’t care what problem it is. And when they fix it, buy them a cake in front of the CEO so other people will see that and think, I want a cake. It doesn’t matter which problem gets solved. Just fix one. Fix an interesting problem and I will buy you cake.”
Of course, if fixing interesting problems was easy, everyone would do it. And everyone is not doing it. Incentives matter when it comes to deciding which problems to address, and for security teams that will often mean focusing on the issues the CISO cares about. And for CISOs, incentives may dictate prioritizing things that can have the most-visible effect.
“Companies have perceived risk. Humans love to stay in the same spot for risk,” Ellis said.