In our jobs as security professionals we are asked to do two things which are often looked at as one in the same – “secure the organization” and “reduce risk”. I think a lot of security folks think of what they do as “making the organization more secure” but I’d like to take a second look at that and argue that if you are doing only this, you might not be actually reducing risk.
Lets take a look at an analogy for a moment. Consider the construction of a bank. Banks are meant to be secure right? Indeed, they are a very secure place to store money. Can you walk in and rob a bank? Yes, you sure can. You can very likely walk in with a gun, ask for money, and walk out a temporarily richer person. When the bank closes down for the night it becomes much more difficult to get access to the money.
Banks focus on reducing risk in a number of ways but their priority is not necessarily to prevent money from ever leaving the bank. Generally speaking, the first priority for a bank during business hours is customer and employee safety. As such, when someone enters the bank to rob them the focus is on getting the risk (the guy with the gun) out of the bank quickly, and using other types of controls to allow for recovery of the money later. This is where dye packs, cameras, little red buttons, etc all come into play to establish quick communication with law enforcement and leave as many clues as possible to find the criminal later. And if they don’t find the criminal? They have the FDIC insuring the money. This transfers the risk of money loss to the government & as such the FBI gets involved in bank robberies because they have an interest in recovering the money.
Banks are in business to make money. If they can provide customers with a safe place to store money while not requiring that the customer be subjected to a cavity search upon entering the bank, they’ll do better. They’ve achieved this by analyzing their risk and where it’s not good for business to mitigate the risk directly, they have worked to transfer that risk to someone else.
When the bank closes for the night, life safety becomes less of a concern and so the security mechanisms become much more direct. The vault closes, the alarm arms, an armed security patrol is in place, there are vicious dogs roaming the halls – whatever. Point is, the risk priority for the bank shifts from life safety to physical security – keeping the physical assets in the bank secure. That said, they do not typically go to extremes, the measure need to be cost effective because at the end of the day, any loss under the FDIC insured limit is an externality to them.
In the enterprise we need to be doing the same thing. We all know the saying that goes something like “The only secure computer is one that’s unplugged, placed in a safe, and buried underground – and even then it’s questionable”. To say that someone is more or less secure isn’t really comparing them to any meaningful baseline. My systems may be secure, but if they inhibit efficient business function that security has lost value. Inversely, if they are so insecure that availability, confidentiality or integrity suffers and impacts the business then I’m in trouble. So for now, lets set aside our role to “make the organization more secure” and focus on reducing risk. After all, security blankets, security guards and security tools make us feel more secure – but don’t always actually make us more safe.
Risk comes in many forms when you stop using the word security. When I walk into the building each day there is a risk that there could be a fire & I may be hurt or worse. There is a risk that the company may be sued and have to liquidate assets causing me to lose my job. There is a risk that the bathroom may smell bad. These risks aren’t all equivalent, but they are all risks to me and/or the organization. Now, what if you are a restaurant and by having a bad smelling bathroom patrons don’t want to come eat food in your place? Now you have a real risk to the business. It changes with what you do, who your customers are, and lets face it – the general public opinion about certain things.
Now, by ensuring correct exit routes exist in the event of fire, and performing fire drill tests & building programs around this, am I making the organization more secure? Not by most definitions (though I would argue you are infact doing so). By having a strong legal team & being aware of legalities in your business are you making your organization more secure? By keeping the PC that controls the smell in the bathroom running, are you making your organization more secure? All of these things potentially reduce risk but don’t necessarily increase security unless you think about security very broadly – which is what I’m getting at.
I’d like to define it this way. Security is the feeling you get when you have reduced the risk in your business to an acceptable level. So security becomes synonymous with confidence in your ability to manage the risk in your organization. Making things more secure means increasing that confidence, but it doesn’t necessarily mean making it harder for a guy to come in and steal your money. It means you understand the risk, you understand your vulnerability to that risk and you have controls in place to ensure the damage that results from that risk is controlled to an acceptable level. If that means your server can get pwned over and over again and you just rebuild and move on, then maybe that’s acceptable for your organization. It doesn’t meet most peoples definition of secure, but it’s not their business.