Before We Freak Out on Controls

In previous articles in this series, we’ve talked about three of the four legitimate ways of treating risk – avoiding, transferring, and accepting it – and one illegitimate way, ignoring it.  By “legitimate” I mean acceptable to a regulator or auditor under the right circumstances. I’ve purposely put off discussing strategies for mitigating risk, the fourth risk treatment, for two reasons.

First, most of the security industry – that pretty much means vendors – focus on controls, that is, ways to spend money to reduce risk.  That is understandable since vendors are in the business of transferring money from your pocket to theirs. You might never get the idea from a vendor that there is any way to treat a risk but by spending some money.  But as we have seen there are other ways.

Second, risk mitigation is a huge topic. It immediately leads us into a welter of risk management frameworks, standards, and control sets.  Among them are the ISO 27000 series, the U.S. National Institute of Standards and Technology special publications (the NIST SP series), the SSAE16 standard of the American Institute of Certified Public Accountants, the Payment Card Industry Data Security Standard (PCI DSS), the Control Objectives for Information and Technologies (COBIT) of the Information Systems Audit and Control Association (ISACA), and others.   All of them are quite happy to help you understand and implement their standards, always with hundreds of pages of documents and usually for a fee.

And that’s just the tip of the iceberg.  Unpack any one of them and you can easily find dozens or hundreds of what they call “controls.”  A control is simply something you do to reduce or limit risk.  Sometimes a single control leads to many individual practices or detailed specifications. Setting standards for security risk assessment is an industry unto itself.

As if the proliferation of standards were not enough, large heavily-regulated enterprises like financial institutions and healthcare providers are wont to visit on their suppliers customized risk-assessment questionnaires and processes, and these questionnaires can easily have hundreds of items.  The Standardized Information Gathering (SIG) questionnaire of the Shared Assessments Program has over 1,000 items at last count.

The language of the standards and questionnaire often convey the distinct impression that every item is mandatory, despite statements to the contrary.  And of course they are all different enough to preclude a standardized response, but similar enough to offer a glimmer of hope for economies.

It can be a daunting challenge for the executive of a small- or medium-sized company who wants to win the business of “the bigs” in the industry.  How much of this stuff do I really have to do?  How do I even get my arms around the overlapping and seemingly conflicting demands of multiple customers and regulators?  Will I really lose the business unless I have all employees use different 15-character passwords for every system that they change every month, among scores of other items?

For the sake of the innovation, entrepreneurship, and competitiveness of the American economy, it is our mission to help the SMB executive navigate a path through this morass of standards.  Future articles will attempt to contribute to this mission.

What It Means to Accept a Risk

There are four legitimate ways to treat a risk, and one illegitimate way.  The illegitimate way is to close your eyes, block your ears, and ignore it.  The legitimate ways are to avoid it, transfer it to someone else, mitigate it, and accept it.  Of the myriad risks we all face every day, most of the time we accept them.  Canadians accept the risk of earthquake and hurricane.  Tunisians accept the risk of sandstorm and blizzard.  We all accept the risk of spilling our coffee on the way out of the coffee shop. Accepting a risk can be both understandable and acceptable to stakeholders for various reasons:

• the chance of occurrence is too low to worry about (hurricane in Canada)
• the likely impact if the threat occurs is low or affordable (spilling the coffee)
• the cost of taking the next-best alternative is too high or not worth the reduction in risk (a Tunisian cannot afford sandstorm insurance, if there is such a thing, and anyway what good would it do?).

In the context of operational risk in organization, be it cyber security, disaster, or business continuity, it may be mightily tempting for the risk executive to simply assert to the auditor, “Well, we accept that risk.” 

At which point the auditor (or somebody else who must be taken seriously, like a Board member or a regulator) may reply with some pointed questions, like:

• Who is “we”?  Has this risk been accepted by persons authorized to make that decision? Is there any doubt about that authority?
• Do you really understand the risk you are accepting? Have you considered the likely impact on the organization if the risk were to materialize?  Have you considered how likely that risk is to be realized over some definite planning horizon? What evidence is there that you’ve considered these things?
• Have you considered the alternatives to accepting the risk, what they would cost, and what degree of reduction in risk they would give you?
• When was this decision made? (Not just now, hopefully!)
• Has this decision been documented, so that there is a record that people can consult later as to the limits of what was accepted, and so it’s clear that this is a conscious, considered and authorized decision?  

In other words, the auditor is saying, “Convince me that you really understand the risk you are accepting, and give me enough evidence to evaluate, on behalf of the organization I represent, whether it is reasonable to accept it.” Depending on what is at stake, the support expected for the decision may range from a simple statement in the minutes of an executive meeting to a careful and documented analysis of the risk and the alternatives to accepting it. 

Accepting a risk is a legitimate way to treat it, but it is not a free pass.  Your stakeholders may disagree, and then you will need some ammunition to persuade them that your decision is reasonable, or at least to have a productive discussion.