Hope you all had a great weekend. I had meant to point you earlier to a FAIR analysis that Chris Hayes did over at his Blog. But I’ve been a little busy, and before I could mention it, Stuart King put up a kind of angry response on his ComputerWorld blog. Snark aside, there are a couple of other really troubling aspects of Stuart’s reaction to Chris’ analysis that I thought we could talk about this morning.
The problem is that (Chris’ analysis is) completely impractical. I’ll take a recent, and fairly typical situation as an example. I was taking issue with the manner in which remote access was being provisioned for a third party vendor to connect to a system hosted by one of our European business units. To cut a long story short, it was not only a breach of policy but highly insecure. I wanted the access to be disconnected, the business unit director wanted my risk assessment. And he didn’t want to wait for it.
To quote Chris Hayes, spending time on working out the expected effectiveness of controls, over a given timeframe, as measured against a baseline level of force was not going to pacify an angry Italian fearful that my decision was going to cost him money. He wanted my explanation of the risk and more importantly, what I was going to offer as a solution to keep his business functioning
As Chris is someone who actually does this for a living in a large company, and this is typical of his actual day job, I really find Stuart’s “impractical” comment to be, um, misinformed.
Also, I think Stuart mistakes the purpose of a risk analysis. The purpose of the risk analysis is not to force someone to be “secure”, but to provide knowledge for decision making. Using it as a “hammer” to knock in the nail of your personal risk tolerance impairs efficiency and in the long run retards “security” as it creates political resentment. Seriously, who cares if something might violate policy or not in a pre-implementation discussion? Policies are not stone tablets handed down from on high, they are state-in-time codification of the data owners risk tolerance. This risk tolerance changes sometimes, and that’s OK.
To that extent, I appreciate (and I’m sure Chris does, as well) that risk analysis does not create rationality in the data owner. Someone who sees you as a speedbump on the route to progress they may not be ready to appreciate your point of view even if it is stated in the most rational manner possible. But it’s worth noting (and Stuart’s example is indicative of this point) that risk analysis does not create rationality in the analyst, either. If one is being so “security minded” as to ignore the risk tolerance of the business owner - we’re bound to get a reaction similar to that Stuart encountered. In fact, a practical risk analysis like Chris performed on his blog, done in 30 minutes, should identify the critical point of disagreement between Stuart and the data owner (again, Stuart doesn’t own the data, the agitated Italian does).
But let’s stay rational and open to alternatives to what Chris offers. Stuart states his approach to risk analysis as:
When I need to document a risk assessment I use a very simple form: list the threats, state the level of vulnerability, list the associated operational costs and potential revenue hits. High, medium, or low risk? Describe the controls and options. Write up who needs to do what, and how much of their time it’s going to take. Job done.
At first glance, I don’t think what Chris has done is any less efficient, and it provides greater insight (using Frequency and Capability instead of just ‘listing the threats’). But what is key here is that Chris’ approach is consistent and defensible. Less generous risk geeks and CSO’s I know would have no little difficulty with Stuart’s approach. But to particularly answer Stuart’s main objection (impracticality) I would offer that with practice, Chris’ work is probably quicker and easier than Stuart’s described process as it eliminates much of the ambiguity an immature risk analysis creates - reducing the need for further discussion and arguments with data owners (regardless of disposition or nationality).
Finally the irony of Stuart’s post is that the reason he had this confrontation may in fact be because he was incapable of bringing a salient model for risk to the table, one that identified the factors that create risk and developed a defensible belief statement concerning risk. We’ll never know if one would have helped him in this isolated instance, but I can tell you that in organizations like Chris’, good risk models and strong risk anlayses create operational efficiencies, reduce costs, and streamlines intra-departmental communications.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
Lets first examine Yang. An icon of the Internet era, he gave life to one of the original Internet powerhouses. It seemed that Yahoo was going to be one of the four horsemen of the Internet going forward. Starting with search, they moved well beyond mere search. The company spawned countless dot com millionaires and made billionaires of Yang and his fellow co-founder. If Yang would have stayed out of it when he first left Yahoo, his legacy would be secure as an Internet legend. But he came back to help Yahoo compete in the Web 2.0 Internet. An Internet where Google is the undisputed king of search and Yahoo had to learn to monetize other areas of the business. But Yang I think is destined to be best remembered as the arrogant techie who refused to come under Microsoft's thumb and turned down a 10's of billions of dollars offer. While he was offered 33 dollars a share, his stock today is under 11 dollars. To add salt to the wound, after cozying up to arch enemy Google to thwart Microsoft, Google tossed him aside like yesterdays news. I am afraid history will not look kindly on Yangs legacy. In fact the future of Yahoo itself is no longer StillSecure (hey I couldn't resist the plug).![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=6e6fdf5a-53f0-4355-87e3-63677428a4bb)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=8a7c833b-7998-4560-ae88-e82fa07afa6a)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=7a7de5a9-84ce-45b0-8222-b1ce28926391)
