Security Accountability: A Hidden Problem

When trying to come up with something to post about today I started thinking about the biggest problems I run into when doing security assessment for my clients. A bunch of things started running through my head - lack of web or email filtering, lack of sufficient monitoring, poor web security, no security awareness training and bad patch management all came to mind. I don't think anyone can argue that these all can be problems but that doesn't mean they actually are.

When dealing with information security, we all use a bunch of cliche terms, sayings and phrases but often fail to put them into actual practice. We discuss "defense in depth" but then focus almost all of our efforts on protective controls, ignoring detection, response and recovery. Similarly, we all say that eliminating risk is not our goal. In fact, we say, the elimination of risk is not possible. At the same time, we do penetration testing, scanning and assessments that identify all conceivable vulnerabilities and recommend that they be eliminated. What happened to "risk acceptance". In theory, an organization should be able to review the likelihood that a threat exploits a vulnerability causing harm in terms that can be translated into a dollar amount. Taking a page from the CISSP or SANS Security Essentials class - we should be able to identify an annualized loss expectancy. If the ALE for a given risk is $10,000, it makes sense to spend $1,000 per year to mitigate while it doesn't make sense to spent $20,000 per year. This is infosec theory 101. The question however, becomes how do we actually put this theory into practice? I believe the answer relates directly to the concept of asset ownership.

Many times when I talk to my clients I ask them who "owns" data assets. They reply that IT does. I then ask if IT has the authority to permanently modify or destroy the data assets they "own". The response, in most cases, is that no, they don't. Business decisions about data assets (such as the data in a database) are made by the owner of the business unit that uses that data. This fact alone means that the business unit, and not IT, is the asset owner. So what does that have to do with security and why is it a big problem? Good question!

In these same organizations, I ask how involved the business unit owner is in making security decisions. The response is almost always the same; the business unit simply expects that IT or the infosec group will provide them with security. Unfortunately, what "security" means is often not well defined. Generally, from a business unit perspective, "security" means that their assets will never get compromised with a focus on confidentiality and integrity. As a result, there is no concept of "acceptable risk" and this IT/security is left with the unenviable task of attempting to accomplish "perfect" security with a limited budget and limited resources. Because this is not possible, IT/security is left with the responsibility of determining acceptable risk when may business owners intuitively feel all risk is acceptable (when it comes to allocating budget) while no risk is acceptable (after a compromise has occurred).

So what is the solution to this problem? The answer is easy to say but difficult to do. Business owners (the true data asset owners) must take responsibility for accepting risk. IT/security thus moves into the role of providing risk information to business owners. The information provided should include a description of threats, vulnerabilities and some metric that describes the likelihood and level of harm (perhaps the aforementioned ALE). IT/security should also make recommendations as to risk mitigation steps including cost estimates. If the business owner determines the risk is unacceptable, they should be willing to allocate budget or other resources to mitigate. If the business owner determines the risk is acceptable, they should sign off on the fact and be held accountable for the results. IT/security should not be held accountable for compromise that took advantage of accepted risk. Rather, IT/security would be held accountable if the information they provided to the asset owners was bad or if they failed to effectively implement approved control.

This balance ensures that those ultimately responsible for the assets (the owners) play an active role in making security-related business decisions. It also ensures that budgets are tied, at lease in some way, to risk. Finally, it puts IT/security personnel in a position where they have the capability of successfully doing their jobs rather than staying in the "no win" situation they currently are.