I was thinking about translating my recent article I wrote for the Israeli Insurance Association (see my last post), but decided to completely rewrite it so it would apply to a more general public rather than to the select few insurance industry professionals in Israel.

The basic realm of what we are all doing on a daily basis (at least the ones that deal with information security and risk management) is trying to make sure that we keep our information intact, comply with the relevant regulation for our industry, and have it all done within a budget. Nevertheless, often one can see one of two approaches being applied in the field – the practical one, and the regulatory one. The more practical approach looks for the relevant risks and tries to control them and minimize their exposure to relevant threats. The regulatory one state that we’ll pick the “best practice” solutions that would have us comply with the regulation, and by doing so we should be OK as the rest of the world pretty much does the same.

Unfortunately, the practical approach that fuels logical thinking, understanding your assets, risks, threats and resources available, and tries to constantly adapt your security measures to them is rarely adopted, and I have only seen a few select organizations “make the plunge” into the thinking zone. It is more often that one would find an organization that has hired consultants to perform risk assessment and gap analysis (which is a basic part of most regulatory requirements these days), and then have them use whatever budget available for the certification to install security products (again – best practices…) which would cover all the “high” risks found in the risk assessment, and some of the “medium” ones.

I truly think that the gap between the practical approach and the regulatory one is not that big (guess which one I endorse…). The root cause for what brought most of the commercial and financial organizations to adopt the regulatory approach has been the crackdown of governments and regulatory body post Enron/WorldCom/the credit crisis/[add your financial/corporate crisis here] on companies worldwide, and the immediate proliferation of information security “professionals” that were merely technicians or integration engineers with a fancy title. Budgets were allocated, products were evaluated, and with the endorsement of a savvy accounting firm you could find yourself compliant in no time with a brand new lineup of “best practice” products in your network.

Taking a step back, and actually looking at the regulatory requirement (interesting homework for you – take a look at your “favorite” one and try to look at it in as an objective view as possible), it’s clear that most regulations can be adhered to without just hopping on the vendor product bandwagon. A careful assessment (as noted – part of any basic compliance project) can map out the actual assets that YOU need to protect (which are obviously different than someone else’s assets – hence the regulation can’t over them all specifically), and provide you with the scale to measure how much capital would be WISELY spent on protecting the said asset. I promise you, that after going through this drill, you’ll find that the money that is needed to really protect your information and mitigate the risks relevant to your organization, is less than what you would have spent on “best practice” solutions that provide mediocre protection for some general phantom assets which the regulator pointed to.

The final step in keeping this process in the “practical” land and preventing the regulatory approach to pop up on the next time the certification date looms is to keep running those numbers – what is my risk, what are the ACTUAL threats I’m facing, how do my current measures stand against the threats, and how have my asset valuation changed. By keeping this measurement practice up-to-date, you can easily (and again – cost effectively) adjust the protections appropriately, stay compliant (and not just for the first month after certification), and see an actual benefit out of all the budgets spent on information security and risk management.

To quickly sum up, I’ll include an excert from a post by valsmith that I highly concur with:

Many companies have not yet developed the ability to identify, document or even discuss the real risks to their business and are barely holding on by figuring out whatever regulations they need to follow and checking off the boxes. They need to pass. Shinking budgets mean they need it cheap. This means that pen testers are selling something with little real world, but lots of bureaucratic, value.