Appetite for Destruction – Enterprise Risk Management

If the title of a 1987 Guns n' Roses album sounds an unlikely opening for a cyber security blog - you are probably right. But when applied to the broader question of enterprise risk management and the need to develop a top-down risk tolerance strategy, the relevance may become clearer.

Failure by organisations to develop, communicate and monitor a suitable risk appetite strategy can lead to catastrophic business failure either way; by either accepting too much inherent risk, or conversely being too cautious and allowing the business to be overrun by spiralling governance costs and far bolder competitors. COSO defines it thus: "Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so".

Organisations encounter risk every day as they pursue their business objectives. Senior management must therefore deal with the fundamental question of: How much risk is acceptable while pursuing these objectives? Additionally, external regulators and other bodies need to evidence organisations' risk management processes and board oversight, which is another area of risk in itself. But not all risk is bad. Modern businesses need to innovate to compete and survive; and you cannot innovate without taking on risk. Sometimes a lot of risk. Essentially there is no longer a 'safe path' to stick to if you want to both stay in the game and win it.

A few years ago I attempted to open up a conversation with the board of a large multinational around risk acceptance, with the aim of striking a balance between the costs of security countermeasures versus the likely cost of any losses: Thereby setting expectations around what was achievable. This endeavour fell at the first hurdle of "what level of per event or annualised loss is acceptable to the business?" "None" came the inevitable response, thus sealing the end of that debate. Nowadays, boards cannot possibly ignore the endless tide of publicised breaches and corporate collapses that adorn the media every day, and boards now seem to have accepted the 'not if, but when' philosophy, which acknowledges that you can't secure everything and therefore losses are bound to occur. No matter how much money you throw at managing risk.

Nonetheless, having that debate at a senior level and then executing an organisation-wide programme to embed the risk appetite and risk tolerance strategy into every business process, remains a daunting task that not every business is yet prepared to embrace. Like the elephant in the room or the ostrich's head in the sand (insert suitable metaphor here) it is often easier for the various risk management functions to just keep pushing along doing what they do while hoping for the best. Unfortunately that's no longer enough. Completely defending a large organisation against the onslaught of growing numbers of threats, and increasingly sophisticated attacks would require more resources than many businesses are worth, and then some. So there needs to be some conscious acceptance of risk at the strategic level, which is then fine-tuned to each critical business function as a tactical solution to managing ongoing risks. This is where the terms Risk Appetite and Risk Tolerance appear: the former constitutes a strategic, board sanctioned, policy message and plan; and the latter a more tactical approach to identify the most critical parts of the business operation and apply an acceptable level of risk acceptance variation each entity is willing to accept; based on the operational criticality of each function to the overall business.

Without these formal statements on risk appetite and tolerance, clearly mandated, communicated and integrated across a business, it is hard to set goals and priorities or to allocate resources to best manage all forms of risk across the organisation. Yet research suggests that only around a quarter of large public and private companies have a formally articulated statement of risk appetite in place. There is a view that this absence of a formal and coherent risk appetite strategy across three-quarters of organisations is at the root of ever increasing numbers of breaches and failures in recent times. Too much gets spent securing functions and assets the business could still survive if lost; while the real Achilles heels lie relatively unprotected due to distractions elsewhere.

So, what to do? Well whatever you decide to do you cannot do it in isolation. There needs to be a will and mandate from the top which leads to federation of the various risk functions in pursuit of a set of common objectives. Education and influence are key to introducing these concepts in a way all parties will understand and buy into. Sometimes you don't know you have a problem until someone educates you enough to see it.

So if you are natural educator and influencer who happens to be sitting in one of the risk functions in a business that's lacking a current strategy and statement that deals with risk appetite: then you know what to do!



Adrian Wright is board member and VP of research at the ISSA UK chapter.                                   AW3

Security on the Brain - White paper & presentation

I have been requested to 'socialise' the white paper and presentation slides from the highly popular "Security on the Brain - " series of workshops I presented at recent ISSA and other infosec conferences - including Transport Security Expo, e-Crime Congress and IISyG. Links to both the paper and the presentation slides are below:

Security on the Brain - Using Human Psychology to Achieve Compliance:
Paper Attached. Here

Workshop Presentation here:

Slides published from last Chapter Meeting

Presentation slides from the last ISSA-UK London Chapter Meeting on "Critical Controls" are now available.

Event: Thursday, 13 June 2013 from 16:00 to 21:00 London, United Kingdom

Richard Hollis, CEO, Risk Factory
Deep Threat: Top 10 Lessons to Learn from the Online Adult Entertainment Industry. Link to Slides

Thom Langford, Sapient
UFOs, Dirty Dancing and Exploding Helicopters - Understanding Risk Management Hollywood Style. Link to Slides

Adrian Wright, ISSA-UK VP of Projects
Securing The 'Internet of Things' - Implications and Key Questions. Link to Slides

Dragon's Den 2013 - HMS President, River Thames, London

Dragon's Den 2013 - HMS President, River Thames, London

Thursday, July 11, 2013 from 9:30 AM to 7:00 PM (BST) London, United Kingdom
Our annual Dragon's Den Event returns on 11th July and will be held on the HMS President, a boat permanently moored on the River Thames in London.

In the Dragon's Den event, ten security software/solution vendors battle it out for the best Speaker and best Product prizes, given at the end of the day and voted on by the audience.  We offer each vendor a 10 minute speaking pitch and split the sessions over an hour in the morning and an hour in the afternoon.

5 CPE points. ISSA Members Free - Non Members £50 + £1.90 booking fee. Limited places on board ship - book your place now!

Book Here

Partner Event: "Development Testing: Securing Your Code" Weds 3rd July 18.30–22.00 London

Join in the Big Debate: Are you making the right decisions to secure your code?

With the rising complexity of applications and the increasing threat of security attacks, can security risks be left to the security auditors to tackle on their own? Or does this now belong to the Software Development Teams? In short, are you making the right decisions to ensure the security of your code?

Join us on the evening of 3rd July in London to hear leading industry luminaries grapple with the important issues surrounding this debate. The panel discussion will include some pre-prepared questions plus an opportunity for attendees to test the panel members. We welcome security and development leaders from all industries and look forward to seeing you there!

An evening Panel Discussion featuring:
Stephen Bonner, Partner, Information Protection, KPMG
Tim Holman, President of the ISSA UK Chapter
Neira Jones, Chairman,The CSCSS Advisory Board
John Jacott, Security Practice Leader, Coverity
Moderated by Paul Fisher Pfanda / ex Editor of SC Magazine

Event Agenda:
18.30 – 20.00 Refreshments & Networking
20.00 – 21.30 The big debate
21.30 – 22.30 Additional Networking Opportunities

Register here:

Cyber Security for the Military and Defence Sector Conference

19–20 June London Kensington

A discount code for our members* - ISSA members can register online and receive a £300 discount! Use Discount code SMI5H6NISSA Partner Conference: Cyber Security for Military & Defence Sector 19–20 June London Tara Copthone Hotel. £300 ISSA member discount. Register here:

Just when you thought you had BYOD under control – enter the Life of BYON

An IT manager friend of mine recently reprimanded a young employee for spending up to 80% of his day surfing shopping and music sites from his desktop. This fact having come to light through web filter, firewall and bandwidth logs. Duly warned and with web filters having been tightened the employee went back to 'work'. Several weeks later a new notebook PC appeared on the employee’s desk, which also seemed to consume most of his attention throughout the day.
A quick check of the network showed no new systems on the network, so perhaps it was being used offline? Maybe so, if it wasn't for the fact that our manger then then spotted a new wireless connection he hadn't seen before in his wireless connection list. Yes you guessed it. Having been caught using the company network for his own purposes, our young scallywag had brought his own wireless hot spot to work and was using that to while away his time on YouTube, Facebook and eBay.

Like BYOD before it, the march of Bring-Your-Own-Network (BYON) is happening silently, stealthily and almost completely outside of management control. Nearly all modern smartphones and 3/4G tablets can be instantly turned into wireless hot spots allowing it and any other wireless-enabled systems within range to be connected to the web, whether out and about or at the workplace desk.

From an employee’s viewpoint this makes perfect sense. They may have been denied permission to connect their personal devices to the corporate network, or don’t want the hassle of seeking these approvals and have the company install special (MDM) control software on their personal devices. They will be aware that many sites like social media, betting and music download sites (i.e. the very places they want to go) are either blocked, or their use monitored. And besides, their brand new 4G tariff gives them a cool 12Mbps speed with all-you-can-eat data – which is probably not true of the clunky corporate LAN struggling to deliver even a tenth of that; assuming of course the firewall blocking allows you to view or download anything you are remotely interested in.

So what’s the problem with BYON? From a security and capacity perspective you might say, “better them doing it on their kit than mine”, or “at least it’s hardware and software I don’t need to provide support and capacity for”, but you’d be missing the point. Someone spending a large part of their workplace time pursuing personal interests represents a huge hit to productivity and the bottom line once you have enough people doing it. With the bigger issue being that you can’t readily detect, monitor or quantify it. These things also tend to become endemic in the workplace culture and hard to reverse after a very short time.

The situation also drives a coach and horses through any policies you might have regarding improper or illegal material being viewed in the workplace, as it bypasses any of the filters or logs you probably spent fortunes putting in place to avoid. Furthermore the assumption those personal WiFi hotspots are completely air-gapped from the corporate IT is a dangerously weak one. In that unless you have a tight lockdown on all your office PCs preventing their connection to unauthorised wireless points, backed up with DLP on everything to ensure files downloaded elsewhere cannot be transferred to any office systems; there is a real risk of bridging the secure enterprise network to insecure private ones at multiple points. Plus of course there’s the bigger risk that sensitive data will go the other way, by leaking out through the insecure access point or being carried out on an unprotected personal device.

So what to do about it? First and foremost check your security, staff and acceptable use policies are clear and unambiguous regarding the use of BYON and personal wireless hot spots in particular. In the above case of the employee using his own kit to surf the web all day; the BYOD policy written over a year prior made no mention of personal hot spots or their use. Consequently their use had run out of control before the issue came to management’s attention. Next carry out a business risk assessment involving the key risk stakeholders including HR, IT, and security to identify the risks in both scenarios of either permitting or banning the use of personal WiFi hot spots. If the organisation opts to allow their use, you’ll need to define the precise what, when and how of their acceptability and then enshrine it in corporate policy. If you opt to ban them, then work out how you are going to detect and respond to the exceptions which will occur. In all cases you’ll need to consider how to prevent any personal network connection, whether allowed or not, from circumventing your entire enterprise security infrastructure.

What security measures can IT take to ensure security of enterprise data and does MDM really have a role in security?

"The map is no longer the territory". The 'map' in this case represents the inventory and network diagrams that used to tell IT people where all the systems and endpoints were on their network. The 'territory' on the other hand represents reality, in terms of what's actually out there and connecting in. Prior to the mobile and BYOD explosion the map and the territory were pretty much the same, give or take, but I believe this is no longer the case and is becoming less so every day. The unstoppable trend is that more employees are using their own smartphones and tablets for work, creating an upward surge of consumer mobile devices accessing corporate networks and storing corporate data. Organisations must therefore prepare themselves for a world where the dominant endpoint is not a desktop computer, but a mobile device.

Latest research shows nearly three-quarters of smart device owning professionals are using those personal devices to access company data, yet more than three-quarters of organisations are failing to manage that activity effectively. Some time ago I wrote an article entitled 'You can’t protect what you don’t know you’ve got', and this challenge of finding out what, where and how myriad personal devices are connected and what amount and value of your corporate data is on them, is the primary question you need to answer before attempting to secure anything.

The definition of what constitutes the "personal cloud" remains an area of intense debate. Most purchasers of popular smartphones will be automatically granted access to a personal cloud like Google or iCloud for backing up and providing extended storage for their device, and this is therefore a good starting point in defining what the personal cloud is, and where some of your corporate data might already be.

MDM is certainly a route to take if BYOD is identified as a growing risk, but where you start depends to what degree BYOD has already been allowed to creep in by stealth. Most devices connect wirelessly and many employees have connected their device to the network by finding out the wireless password. So once you have MDM in place you might consider changing all the wireless passwords to force users off the network before allowing them back on in a more controlled, inventoried and secured way.