Now that Risk Communicator 1.3 is out, time for a post. Part of my wife's birthday present is cleaning out a bunch of my boxes in a space she wants to use (yes, very romantic...). So I'm knee deep in old computer parts, drives, hubs, modem cards, (so many connection cables), and I find a box of reference material from circa 2000-2004. You know, the kind of material you think you might reference someday but never do. My current rule is 12 months. If I don't use it, it's gone. But instead of chucking the whole thing, I decided to file through it and see what I thought was so important.
What I found surprised me at first. I'm sorting through security reference material from Microsoft (non confidential of course), @stake, PwC, random research, and a bunch of other stuff e.g. IT Governance Institute, ISACA. When looking through the IT Security Risk Management content, I might as well have just printed it yesterday. NOTHING'S CHANGED, not materially anyway.
Same ol' stuff, "integrate with the business, apply a risk framework (listing the same approaches as today), Governance... blah blah, integrate with enterprise risk, measurement, maturity, demonstrate value, etc. etc." A decade past and when it comes to prioritizing risk, justifying spend, making educated decisions, and measuring progress, time is frozen. GRC platforms have advanced our survey-policy-reporting processes and are moving up the value chain. However integration costs are too high and I haven't seen one be helpful beyond compliance and exception tracking.
Why No Advancement?
An excellent product management question that should probably be in a separate post. I see a couple reasons. 1. Unvalidated market demand: CISO's don't want to spend high prices when their spreadsheets are good enough. 2. No winning tools: most spending goes to consulting for custom, one-off solutions. Nice chicken-egg: I don't want to buy anything because what's out there sucks; I don't want to build anything because no one's buying.
To pile on, as practitioners, we can't agree on common approaches to perform common tasks like prioritizing risks. For example, is there more consternation about quantitative vs. qualitative models this year or am I just noticing now that I'm a vendor?
Finally to the meat of this post, why was it relatively easy for me to organize my evidence as a practitioner but seemingly impossible for vendors to agree on common approaches and build tools to help me? Here's my answer of the day: as a practitioner, most of my budget was already allocated to past or obvious spending priorities. When it came time to add value by predicting future loss and save the company from catastrophe, there weren't that many spending options left. There were a handful of directions to debate. Then a decision was made and the remaining risks delayed until time/money/evidence changed the equation.
When a risk model is developed in a green field, I think it gets smothered by threat catalogs, algorithms, unknown unknowns, attacked by others for being exactly wrong, and eventually they all cancel each other out. I also think people have overly high expectations for a risk model. As I often say, no model can think for you. It's simply a tool to organize your evidence to improve decisions. Here's a little graphic I whipped up to make the point why fancy predictions don't matter as much when your options are limited.
As I mentioned in the evidence post, much of the work is done for us. By the time we reach the point of debating new and emerging threats, there's not much discretionary budget left and our predictions don't have solid evidence (no matter how accurate the algorithm). And when we do get the evidence, the investment moves down the pyramid and we're past the controversy.
So yeah, risk management is hard and it hasn't changed much in 10 years, but the reality is it's not as hard as many think. Plus, you don't need an omnipotent tool to improve the process. Find something efficient that saves you time and improves your decisions. That's our top two goals with Risk Communicator in the Security Process Management Suite.