https://blogs.rsa.com/bad-decisions-made-faster-qualitative-security-risk-assessments-making-things-worse/?utm_source=rss&utm_medium=rss&utm_campaign=bad-decisions-made-faster-qualitative-security-risk-assessments-making-things-worse
By Derek Brink
blogs.rsa.com
March 19, 2014
Once there was a leadership team that was exceedingly fond of using risk
assessments to make business decisions about information security. The
team cared little for detailed discussions about threats, vulnerabilities,
technical exploits, or a host of potential security controls. They wanted
their subject matter experts on information security to explain clearly
how their recommended investments in security controls would actually
reduce the company's risk, and they ultimately wanted to make decisions
based on the amount of risk the company was willing to accept.
Many security professionals, as well as many security vendors, tried but
failed to communicate in this way and fell back into their old bad habits,
frustrating everyone. But one day some pretenders came along, who let it
be known that that they could conduct qualitative (and even
"semi-quantitative") security risk assessments that could be easily
understood by the leadership team. Their security risk assessments were
presented using bright colors, and had the property of being understood by
virtually everyone. The pretenders were supported by a third-party advisor
and highly trusted by the leadership team, who vouched publicly for their
approach.
Does any of this fractured fairy tale sound familiar? It's based, of
course, on Hans Christian Andersen's classic story, The Emperor's New
Clothes. You can write the end of the story yourself. In spite of their
misgivings, everyone goes along with the charade -- not wanting to appear
stupid or unfit for his position -- until someone has the courage to point
out the truth.
That's exactly what I'm doing here: Pointing out the truth about the
qualitative and "semi-quantitative" risk assessments that have become so
popular. They manifest themselves in the 5x5 "risk maps" that are
typically visualized in vibrant green, yellow, and red. Everyone seems to
be doing it—even security vendors are proudly incorporating it into the
management consoles of their offerings.
Let’s define some terms:
[...]
--
Find the best IT Security talent without breaking your recruiting budget.
Jobs cross-posted to Simply Hired, Facebook and LinkedIn.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
