When John Meakin, group head of information security at Standard Chartered Bank, needed to persuade the bank’s board of the importance of IT security, he did not talk about the number of times the group’s network was scanned in the last week or bandy nebulous figures for threats that may or may not come to pass.
Instead, he calmly detailed the nine key threats to the bank, how important each threat was and how each was likely to develop over the next three years. They were immediately convinced. “One of the easiest ways to get the board interested is by showing them the threat of attack,” says Meakin.
His simple, but methodical approach demonstrates the importance of risk analysis in the security procurement process and communicating those risks to business managers in plain English. A convincing report will earn buy-in at the top level for vital projects. Failure will mean rejection – until the organisation gets hit.
A risk analysis should set out to identify all internal and external security threats, and as far as possible grade and quantify them in terms of the operational and financial impact they could have. This can be simplified when the time comes to present the evidence to non-IT literate senior management.
“An information security posture assessment is the first step towards a risk analysis,” says security consultant Marcia Wilson. “That means that once you understand where the network begins and ends, where the data resides that must be protected, you are able to then do a risk analysis.”
Most organisations of any size have a combination of centralised and remote computing to protect.
“It’s quite easy to do a risk analysis if all confidential information resides in one particular mainframe, for example, that is protected by many layers of security. However, this is not usually the case and data is often scattered about the enterprise on different computers in several locations,” says Wilson.
In a simple environment, the risk analysis would ideally take the form of a short, concise document showing clearly where the main risks to information lie and the financial implications. The document should also show the costs of protecting against each type of risk.
Management can then make an informed decision on what risks are acceptable and which need to be protected against, using much the same logic as they would when deciding on what type and magnitude of insurance policies to take out.
But regardless of the complexity of the environment, analysts believe that risk analysis documents must still be as short as possible, as ‘untechnical’ as possible, and illustrated with plenty of charts and tables in order to paint a picture for management.
“You need to use graphical charts and league tables to convey succinct information about the risk status of the organisation with particular reference to the potential business impact,” suggests Simon Oxley, managing director of risk analysis software developer Citicus.
For example, instead of warning about the proliferation of SQL injection attacks – whereby attackers insert SQL code into login boxes in a bid to trick the backend database into giving them control – security staff need to talk about the risk of exposing private customer data as a result of such attacks.
But Cyrus Peikari, CEO of wireless security consultants AirScanner, suggests even that might not be enough. “Do most managers lie awake in bed at night worrying how to protect their customers’ medical records or credit card numbers or are they really worried about the next quarter’s revenue numbers?” he asks.
Increased regulation may help to re-focus executive minds. But there is little evidence that a new California law requiring companies to notify customers of security breaches that may have compromised personal data has had any effect.
In force since June 2003, only one company, telecoms operator Allegiance Telecom, has confessed to a security breach. Many others, it is believed, have simply covered up. Nevertheless, regulations are getting tougher – and so are the penalties for contravention. “For better or worse, government regulation is stepping in to protect the welfare of the end-user. For example, the Health Insurance Portability and Accountability Act (HIPAA) in the US, with a compliance deadline just a year away, mandates up to 10 years in jail for flagrant breaches of electronic medical record security.”
That has certainly concentrated corporate minds in the US healthcare sector, where organisations have been frantically working on projects to better control access to sensitive patient data and ensure that they comply with HIPAA.
“If I can say as part of my risk analysis ‘if we don’t do this boss you might go to jail for 10 years’, he would be a hell of a lot more likely to listen to me,” said one CIO who did not want to be named.
Increasingly, therefore, the corporate governance implications of ignoring IT security will need to become an integral part of any risk analysis. “Jail may be the only way to convince senior management to take security seriously,” concedes Peikari.