Security or Risk Management?

The terms Security and Risk Management professional have been floating around for some time.  There has always been a stereotype about security professionals. In response to the negative perspective from outsiders, some security practitioners started dropping security in favor of the title risk manager in hopes of seeming more business friendly. CISO is not a new position but there are still many companies that haven’t taken the leap of adding it to their ranks. Some have steered away from CISO in preference for Chief Risk Office or even Chief Resilience Officer, yet if you look at what they are all responsible for on a day to day business, they are remarkably similar, regardless of title.

There are differences in the approaches to be certain. Each comes at the issues with a different perspective, or perhaps a philosophy and so the titles are not merely marketing terminology. Both philosophies have their benefits and their weaknesses. I’ve been thinking about the differences in approach off and on for the last decade. For demonstrational purposes only, I will describe the most extreme examples of both types.

A self identified security professional taken to the extreme would be someone that insists on securing everything without priority. Or rather that everything would be a priority level of one. All vulnerabilities must be remediated with equal vigor. With protection, detection, investigation and response tools, they would recommend buying multiple products for each area, taking defense in depth to an extreme level without supporting data.

A risk professional taken to the extreme would not be driven to secure anything. The goal would be to identify all risks and either avoid, accept, transfer or reduce. This most extreme example would not care which of those categories the risks fell into, as long as they were accounted for as part of the risk management process.  If every item identified were entered into a risk register and someone signed on the line to accept every risk, then it’s job well done.

The reality is that regardless of what a person calls themselves, if they are in a department responsible for IT security, then they must find balance between these two extremes.  At first I had visualized these two as polar opposites that could be visually described using a line with opposing principles on each end and some form of indicator that could slide between the two. Picture an old stereo with Treble and Bass, where you could have all of one or the other. After further consideration, I think that is overly simplistic. Instead, I see a model that overlaps but never reaches the extreme boundaries. A person may be 40% risk management and 60% security minded, but I doubt that anyone demonstrating more than an 60% leaning would not be tolerated in any sector, and the sector is a key differentiator.

No company can afford to fix every single issue, and even if they could, when addressing those issue, they would not try to simultaneously fix them all. Some form of risk based triage would guide the effort. Certainly banks and defense contract companies have a mind set that leans farther toward the preference for defending and protecting all of their critical data far more than a security department at a college campus that wasn’t even responsible for processing credit cards would. If there is no regulation and the entity is not publicly traded, and they don’t make their living by creating intellectual property that would kill their company if it were lost, then the emphasis should lean more toward the acceptance of vulnerabilities in their systems. They can’t, or at least shouldn’t decide to do nothing in the security space, but the consequences for having a weak security program are certainly less than in a more target rich environment.

Professionals that take money from someone for performing a job in a security related field, regardless of title, have a responsibility to do everything they can to protect that entity. This starts with finding out just how vulnerable that entity is figuring out how much that matters. Each industry is different and even within the same industry, tolerances for loss or disruption vary. Taking that initial temperature is key, but if you are in charge of a security function, your job is also to lead. That means recommending either an increase or decrease in effort. It is rarely the later, but in the unlikely event that I found a company that was spending at the level of a premiere bank, yet did nothing to justify that level of spend, it would be my responsibility to reduce the expense to a sane level. The job is to protect the company from loss, and that can occur through over investment just as it can from loss due to under investment. If you don’t want the responsibility for finding that balance, don’t go after the big chair.

To further complicate issues, companies have an opinion of who they want in that big chair. You may be the one person able to do a specific job better than anyone else in the world, yet if your resume describes you as a security professional, and the company thinks they need someone that leans more toward risk management, you won’t even be considered. So how should we market ourselves? Unfortunately, I don’t have the answer. My opinion is that you first need to decide what job you want. Be honest with yourself about your skills and abilities. Decide if you prefer compliance activities over spending time on CSIRT calls. Then you need to build two resumes, one that stresses your security credentials and one that emphasizes your understanding of risk management. Either way, make sure to also stress your business acumen, since the other popular stereotype is that we don’t understand the business of business.