If you have been anywhere near a news outlet in recent weeks, you are aware of the massive data breach suffered by retail giant Target. That incident was soon followed by breaches at Adobe and Neiman Marcus.
After fielding questions during risk workshops with ISACA chapters and reading a great deal of silliness on the web, I’d like to offer some guidance in the ISACA tradition.
Of course, there is a glut of guidance online—More regulation. More standards. More detection. Or less prevention and more detection. More proactive detection. More access controls. More network segments. Buy new scanners. Institute more compliance checks. Respond better.
These responses fall into two buckets—they are vague or they are merely bandages. Both are prone to leaving—if not creating—more holes. And that is what has been done, for the most part, over the past 40+ years. We must consider that there might be a reason that more of the same does not work.
Our cybercriminal adversaries are not unlike sports rivals. They can be smart, agile and skilled at spotting weaknesses and using our strengths against us. In a great matchup, one team can best another by knowing the holes in strengths (such as when a security guard changes position or where a vulnerable wire is in a security camera). In a great comeback game, one team must address its over-confidence, weaknesses and blind spots and rise to victory before the final whistle blows.
ISACA’s framework can help. To close our security holes, we should apply the whole of a flexible framework, one based on business-driven goals and measurable objectives, clear roles, consistent management practices tailored for us, and a way to measure “Are we they yet?” to the level of maturity selected by management. COBIT 5 fits this role.
This whole approach is critical. I encounter many talented professionals who are good in many areas, but lacking in a few. Working within organizations also tends to blind people to the big picture. They stop asking “What if?”
This constant creative questioning is necessary. I ask audiences if they have really studied their opponents. Are they as good at playing role-based simulation games as the cybercriminals or their own children? When I ask these questions during ISACA risk workshops, few reply with a yes. Some say, “We do that,” but there is a big difference between “doing that” well enough to play in the league and actually winning the Super Bowl. Teams with holes in rosters or game plans don’t win.
In this weekend’s Super Bowl, both teams were talented and the gambling odds were close. But the Denver Broncos collapsed when they weren’t agile enough to react in the right way. In sports and business, the ultimate differentiator is managing risk to objectives amidst complexity and change, especially when fighting fatigue.
Like the discipline displayed by the Seattle Seahawks on Sunday, discipline is needed in following the risk-management steps:
- Evaluate environments and capabilities
- Seek scenarios that are lifelike and robust, based on evaluations
- Watch for warning signs based on the “What if?”
- Prioritize response actions based on scenarios
- Shift position in the environment or strengthen capabilities based on priorities
- When the “bad thing” happens, react the right way and recover
These steps can be implemented through a set of seamless management practices, such as those in COBIT 5, which can help you begin closing security holes while you continue to ask “What if?”
Principal Analyst & Advisor, ValueBridge Advisors
ISACA conference presenter and volunteer on Risk IT and COBIT 5 initiatives
Author of “The Operational Risk Handbook”
Continue the conversation in the COBIT 5-Use it Effectively topic within ISACA’s Knowledge Center.