In 1999 I really enjoyed the movie The Matrix, it was also around the time I first left Microsoft. I'm sure it was just a coincidence The loose translation of "know thyself" stuck with me in a lot of ways. Within IT security risk management, the phrase applied to: know thy role and know thy enterprise.
In context of prioritizing and communicating risk, I quickly learned the boundaries of my influence in IT. I used to assert my expertise in both the likelihood of bad things happening and their potential impact. My revelation occurred after my nth defeat trying to advance our control environment. After the dust cleared I realized no one challenged my likelihood assessment because I used real evidence and drew parallels to real incidents. However the financial, regulatory, or goodwill affect of these impending incidents wasn't so clear. Thus I began asking the business units to own the impact statement. IT Security will do the legwork and documentation, but let's share the risk management function and put more business skin in the game. This may be old hat now-a-days but I still see some infosec groups trying to do too much.
It's well documented that effective IT Security groups facilitate vs. dictate risk decisions. When the business or technology leader e.g. CIO, CTO, Line of Business VP, understand they are making the risk acceptance decision the game changes. If they ignore my recommendation, the risk acceptance rests on their capable shoulders. However if they accept my recommendation, we share the responsibility i.e. IT Security's idea, Business Line approval. Clear accountability works wonders in advancing IT Security (it's also a whole other topic). This leads to my next interpretation of "know thy enterprise."
So if IT Security's primary role is to be the experts in estimating the likelihood of impact, what's the best way to articulate this likelihood? I spent a couple years trying to make quantitative analysis work with the business. It failed for one primary reason: my guesstimates could always be challenged by someone higher up the food chain. When one assertion cracked, loss of credibility and ineffectiveness followed.
So my approach was to focus on really knowing the enterprise. Translation, use real evidence combined with IT Security expertise. These are irrefutable. Sure I had some fancy ordinal ranking of risks and applied some qualitative adjectives to prioritize them, but when that ranking is backed with smoking guns, metrics, and statistics, the conversation can move past likelihood and right into impact. This is also why my best friends became the attack and penetration teams but that's another post too.
The ability to quickly prioritize and visualize your risk posture is important to communicate your message. However all the eye candy in the world won't matter if your story lacks evidence. When I present tools such as Risk Communicator, I spend equal time emphasizing the importance of field work to build your case. We can make it easy for you to communicate your priorities, but you have to find the smoking guns to back them up. I used to challenge my teams to never make a recommendation without evidence.
This is one reason I'm excited to see security metrics at the forefront of our industry. There's power in those numbers and making it easier to communicate that power is very near on our road map. What are your favorite smoking guns to prioritize and communicate risk?