Whose decision is it anyway?

Anyone working in information security should recognise the basic ‘rule’ that security risk decisions should be made by the business leaders of an organisation. The idea came about 25 years ago along with new risk assessment approaches that tried to make sure that security exposures were tied back to real business impacts and priorities. Up until then there was a strong view that security people existed just to say ‘no’. So security advisors became just that – people who could advise on the theory of a risk, but who were not accountable for actually making any risk decisions. Or at least so they thought.

If it was ever true in the past, I am convinced that this is not the case anymore. In fact, the last 10 years have shown a growing trend for information security specialists, ‘professionals’ even, to be held accountable for making some very significant security decisions. No, it is not our job to decide on business priorities and whether or not to take a particular risk for an enterprise; but we do have to decide on whether a real security exposure exists, its likelihood of realisation, and the best of a set of options that could be used to deal with it. If we get it wrong, our management colleagues remain ill-informed or security investments get made and do not deliver the risk management expected.

Security trends

Two significant trends are making this even more important. Firstly, with growing regulation there is increasing pressure to demonstrate that the ‘right’ risks are being managed in the ‘right’ way. But who declares what is right or wrong? Anyone involved with Sarbanes Oxley attestation work will know of the need to declare compliance against a standard, but as the standard is not itself specified in the legislation then the right option becomes a matter of debate between experts. So who qualifies the experts? Actually, in this particular case of regulation, anyone with an opinion is entitled to have one, no matter what their experience or training. Surely this is not acceptable?

The second trend, of digitisation of embedded systems, makes things even more critical. According to industry statistics, less than five percent of the multi-millions of microprocessors shipped every year are built into traditional PCs and servers. These other computers form part of the control systems of household appliances, cars, aircraft, process plants and numerous systems and devices that surround us and control the physical world we interact with. A security failure in these systems can be critical to reliability and to our very safety. But who decides that a security specialist has the skills and knowledge to design a secure system, and ensure that it is correctly assured against compromise?

Considered risks?

Surprisingly, this is not yet a big political debate; somehow our very dependency on information systems seems to have crept up on us unawares as a society and the true meaning of this does not yet seem to have dawned. I cannot think of any service that I buy that does not have computer record keeping at its core – even my local milk deliveryman sends out computer-generated bills. But what happens when there is a security problem in the information systems we rely on?

Identity theft is at a new high, with the integrity of digital records being fundamental to the way we live our lives. When we think of system availability, would it matter if the internet suffered a major outage? When we asked them, some government representatives thought that the internet wasn’t really used for anything that important. We couldn’t let the argument rest there and carried out a quick informal survey (Figure 1) of the internet use of 5000 global companies. The results surprised even us, indicating that some 30 percent of global trade now relies on the internet for some part of the transaction. How much of this has adequate security?

If we accept the view that the criticality and importance of digital systems means that good security is a key requirement, is our response to this acceptable? I believe the answer to this question is sadly, no. We fall well short of what should be expected of us.

Think differently

Let’s think like engineers. When a bridge is being built, it is the clear accountability of the structural engineer to confirm the design strength requirements and specify the type and cross section of girders to be used. If during the construction project the project manager finds he is suffering delays due to steel supply, does he unilaterally decide to reduce the number of girders? If we heard this being suggested in a civil construction project we would be outraged and demand that the problem be put right and those responsible disciplined. Yet when I talk to fellow security professionals I find that an IT project may well think that over-ruling security is an option. I think we are partly to blame for this, and as professionals we fail to make the grade on two scores.

Firstly, we don’t always have the repeatable processes and clear disciplines of test and assurance that give certainty in our security judgement. Measures such as the Systems Security Engineering Capability Maturity Model give us tools to show how many of our security processes are repeatable and quantifiable (see Table 1). If we are honest, how many of our processes would score highly?

We can also ask the question of why we do not have clearer definitions of what makes a system secure. For example, why has commercial take-up of common criteria protection profiles been so limited? On the positive side, we continue to see IT products evaluated, but many remain outside the scheme and very few end user companies have used the approach to specify security expectations of target operational systems. Unless we can be clearer on what ‘secure’ actually is, our judgement will always be in doubt.

Tools and tests

Once we have accepted we have security targets, then we have to ensure we have the tools to test that these are met. The classical penetration test must be the best illustration of the application of ‘art’ rather then ‘science’, and only more recently have some automated tools become more de-facto standards. As aspiring engineers we should be expected to have our standard test rigs and test criteria ready to hand.

Beyond our tools, our own qualifications and the credentials we need to be security professionals need some examination. When I started in information security 20 years ago, there was no training available for me in the commercial sector. Fortunately things have moved on, and the good work of many in the industry has given us CISSP, CISM and technical qualifications such as the SANS GIAC. In fact, the number of security qualifications, now even including Masters degrees, has now grown to the point that I cannot even attempt to list them here. Yet many believe that a gap still remains.

This gap is that step between gaining theoretical knowledge and actually applying judgement to make decisions that can make a real difference. The medical profession shows us how even candidates with five years of a medical degree behind them need coaching, mentoring and on-the-job supervised experience before they become fully recognised practitioners. ‘Flying solo’ is a big issue when life and death medical decisions are at stake. Perhaps we should expect the same from security professionals who will be making decisions that could well impact peoples ‘information lives’, or even personal safety.

And it’s not only professionals who think that clear standards are important; a number of governments have expressed an interest in regulating the information security industry. The good news is that the proposals that the profession could regulate itself have been very well received, but it does mean that we must set ourselves high standards and maintain them.

We have come a long way in the last 20 years. In the 1980s, nobody would have seriously considered that the job of Data Security Officer (which probably existed in fewer than 100 companies) would grow into many tens of thousands of people making information security their entire career. As a group of specialists, we also now span outside information technology to touch business processes, engineering systems and corporate risk and governance. What started as a risk low on the risk register now really matters, but it falls on us to rise to the challenge and become truly professional.