What happens when a company experiences a data breach or a security incident?  Well aside from the obvious, someone often tries to figure out what went wrong.  Hopefully this means that they want to fix things so that it doesn’t happen again and not for finger pointing and assigning blame. 

Regardless of the reason, what can we learn from these events?  In this, the first part of a two part post, I’ll review the common mistakes that companies make prior to a security incident.  In part two we’ll discuss how companies should approach risk management in order to minimize their exposure to risk.  (Imagine that – a risk management program that actually manages risk. What a novel idea)

This list is in no way exhaustive or ordered by priority. This list comes from my experience and that of the other information security professionals that I have talked with over the years in my attempts to learn from other’s mistakes and experiences.  If you have other items that you’d like to offer for consideration please post a reply.

1.  Risk Management is diffused across the entire organization. 

Managing risk should be everyone’s responsibility but it should have a focal point and a champion.  One problem that occurs is that risk management activities are carried out my many different people from many different departments with little or no coordination between them.  This causes a repetition of effort and can actually create more risk than it actually addresses. 

2. Overlapping and interacting risk factors are often underestimated or ignored all together.

Much like the diet drug Fen-Phen, the interaction of two risk factors can have an exponential increase in the level of risk exposure.  In companies that experience security incidents the interaction between these factors are often ignored if they are even recognized in the first place.  When the interactions were highlighted by information security professionals, senior management often downplayed the interaction.  We can only speculate as to why.

3.  Warnings about security vulnerabilities and risk agents were ignored and those who gave them were criticized as malcontents or for not being team players.

When examining the events that lead up to a security incident, it is not uncommon to find that the warning signs were there.  In certain situations it wasn’t uncommon to learn that those who did voice the warning were criticized for what management considered “disruptive behavior.” 

4.  When risk modeling is used too much emphasis was placed on probabilistic modeling. 

Most security studies are highly inaccurate from the standpoint of the quantifiable measurement of security incidents.  (I can go on about this but it is really a separate topic.  If it is one of interest to you let me know and I’ll devote a post to that topic.) Most information security professionals believe that these studies only capture something like ten percent of the actual events that are occurring.  When you use these studies upon which to base probabilistic risk models you are doing so using inaccurate data.  This is fine as long as this fact is acknowledged and the numbers generated from the model are tempered with qualitative analysis. 

5. Senior management was so focused on making their numbers that other programs and initiatives (such as risk management and information security) were cut.

This problem is all about thinking tactically or strategically.  A long term strategic approach includes addressing the needs and requirements that can have the greatest impact over time.  If managements view is too tactical and short term then they run the risk of neglecting the long term concerns such as those having to do with appropriate risk management activities. 

6.  Companies lacked a comprehensive approach to risk management. 

A comprehensive approach takes into account quite a few different aspects and points of view rather than one or two narrow views.   Companies that lacked a comprehensive approach typically viewed risk management as a compliance exercise rather than as a business enabler.  I’ll go into more detail about this in Part Two so stay tuned. 

Again, these are just a few items that came to mind.  If you have your own that you have noticed then please share them.