While preparing for a keynote talk at CAMP IT that is rapidly coming up I was struggling to find the main point of my talk. I had been puzzling for several weeks, asking myself what single message I wanted to leave my audience with. I’ve been speaking for some time now about information security and information risk management and have always provided my audiences with a “how-to” talk. So my main point has always been easy to consider, “Now that you know you have to perform a risk assessment, here’s how to do it.” I often provide very detailed instructions for conducting risk assessments and tell a few good stories about valuable insights and transformations that have happened with some of my clients when they actually follow through with these assessments. But this time it’s different.
CAMP IT’s President, Dan Horwich, asked me to present on a blog topic from HALOCK’S web site some time ago, and it’s not a cut-and-dried information security topic. In fact, it’s about 19th century train tracks. More specifically, it’s about how the inefficiency of U.S. train tracks in the 1860s reveal something about the character of American business that makes it so hard for us to get information security right today. There is something deeply embedded in our business culture that makes entrepreneurs and business managers do things in our own way. We are all unique – so our character dictates – and we therefore must manage our businesses as we see fit and without regard to how others conduct their business. In the 19th century this meant that local rail entrepreneurs built rail lines with a gauge (the distance between the rails) that they thought were the best for them without a thought to a national standard. As a result, a train full of wheat that arrived at a junction in Topeka on one rail needed to wait for an empty train on an unmatched rail to carry the grain onward to St. Louis or beyond. If several interconnections were between the grain’s farmers and the final destination, there would be quite a bit of spoilage.
The reason why Dan requested this topic is that this is strikingly similar to what the industry is doing wrong in its business-to-business information security activities now. We each have developed our own information security practices without regard to what others are doing. Then when a client demands that we demonstrate our information security practices, they present us with a long questionnaire that describes their information security practices. The implication in this process is that if we don’t secure information the way they do, then we won’t receive their information. See? Like a train junction in 1860.
So what do we need to do to fix this inefficiency? Do we all go to one standard? I believe so, but two things about that standard may surprise you: 1) That standard already exists as a legal requirement, and 2) That standard is not a list of controls that we need to have in place, but is a process for overseeing information risk. And as long as we continue to avoid that information security standard we will continue to suffer those very frustrating inefficiencies.
Cutting to the chase, what is that information security standard? It is risk management. Simply, we need to select security standards that reduce our risks to a reasonable level and ensure that those controls are effective. Let’s be clear up front: our risks include breaches of information and systems as well as violations of laws, but how we address those risks should be based on what makes sense to each of us.
Now hold on just a moment, you might be saying, isn’t that just like the 19th century railroad problem; everyone doing their own thing? To a degree yes, but in substance, no. The laws and regulations for protecting personal information in particular, such as the HIPAA Security Rule, Massachusetts 201 CMR 17.00 and decisions by the Federal Trade Commission on appropriate protection of personal information all require that information security safeguards should be applicable to each organization’s risk. By law, we MUST be using the information security controls that make sense to each of us. But we gain commonality with our peer organizations when we communicate that we applied the safeguards that were reasonable to our risk.
What HIPAA, CMR 17.00 and the FTC requirements also require is that third parties who are contracted to handle personal information are to provide appropriate or reasonable controls. They do not tell us to force third parties to maintain controls that we design for them. And because each of these rules state clearly that organizations are to identify their own controls by way of a risk assessment, then so should the contracted third parties, right?
Consider our current process for ensuring the security of third parties in the diagram below (Scenario 1).
Scenario 1 shows a flow of conversation from government bodies to organizations, and then from one organization to another. Let’s say the regulation in this scenario is the Massachusetts statute 201 CMR 17.00 which requires organizations to protect the personal information of residents of the state. Organization A and Organization B are each subject to the law, which means both must put in place controls that are reasonable to protect the personal information, and according to their own risk.
So why, then, when Organization A contracts with Organization B do they tell Organization B that they must put in place a set of controls that Organization A deems fit for them? And why doesn’t Organization B straighten out their client Organization A and say, “We do our risk assessment, according to the same law you are held to and we see that our controls provide reasonable and appropriate security?” Scenario 2 below shows this more rational communication.
If you have been subject to the communication in Scenario 1 you know the painful inefficiencies and the sometimes not-so-honest responses that are provided between organizations. You may have also considered that the liability for Organization B increases if their responses to those security questionnaires are not honest. But you’ve also very likely seen that these conversations turn into negotiations in which security and compliance take a back seat and business timelines become paramount.
What is worth noting about the negotiations that take place in Scenario 1 is that the two organizations eventually do attempt a mission-based resolution in their own way. They are just doing it in a manner that does not satisfy the laws they are subject to, nor is there a conscientious attempt to arrive at a consistent “reasonable” or “appropriate” standard. Why not just each rely on the required risk assessment and risk management program so these mission-based safeguards are already established?
The second scenario provides Organization A with the ability to check with their third party contractors and to receive assurances that the organization was safeguarding information according to the law that they are both subject to. As well, the conversation between parties is much smoother than in the more common Scenario 1.
What about the honesty issue that we discussed in Scenario 1? Could it be that even in the second scenario that Organization B is not so honest? Sure. But in either scenario Organization A receives assurances from Organization B, and in both cases Organization A can choose to verify those responses if they choose to. But in the second case, Organization B is not forced to change their controls because an arbitrary rule was set for them by their client.
I occasionally receive the question, “But what about a SOC-2 report? Couldn’t I just get a SOC-2 assessment and be done with it?” Sure you could. And that would be terrific, especially if the auditor that assesses you understands risk assessments. Conducting periodic assessments of risk and applying safeguards that address those risks is required in the Trust Services Principles you’ll be demonstrating in order to achieve that SOC-2 report. So even in the case of achieving a SOC-2 report, you will find yourself assessing and managing risks.
There is a reason why risk management is our standard process for addressing information security and compliance requirements. Risk assessments and risk management are not just some arbitrary requirement set by rule-makers. They are critical business tools that help us think through why we are expending our valuable business resources on information security.
What is striking about organizations that adopt information risk management is that they come to understand that they are applying security controls in ways that matter to them. Security budgets start to open up because the risk assessment (when properly conducted) is based on the organization’s mission and their duty to their customers and clients. In this way, security expenditures are investments in the mission and the customers. It’s remarkable to see the transformation in security management after that realization is made. What is more remarkable is that the laws and regulations that require risk managed approaches to security help retain the entrepreneurial spirit of allowing us to do things our way, only through a required process of evaluating our duty of care.
So why don’t we communicate this way now, focusing on reasonable safeguards based on our risk? Why are we caught in the trap of Scenario 1? Simply because not enough of us are conducting information risk assessments the way our laws tell us to. How can we develop a common language that we ourselves do not speak?
To break down these barriers between organizations, and to create some commonality in our expectations for information security and compliance, we need to do the following things.
- We need to conduct risk assessments. These are not gap assessments with an arbitrary “High,”
“Medium,” “Low” score attached to the gaps. These are honest-to-goodness, business-impact-based analyses of what would happen to an information asset if a foreseeable threat compromised it. And moreover, a repeatable calculation (such as Impact x Likelihood) to arrive at a risk score. And finally a proposed safeguard to reduce that impact and likelihood to something that is reasonable or appropriate to the risk and the organization’s ability to manage the risk. NIST Special Publications 800-30 and ISO 27005 are excellent examples of this simple approach.
- We need to be sure that the controls we have put in place are conscientiously assessed so that they provide management with confidence that the likelihood and impact of a threat is reasonable. We can kid ourselves about these things, but when we are codifying risk in a document such as a risk register, we are declaring our legal duty of care. If we are lying to ourselves in that document, that will come back to bite us hard when something does go wrong. By the way, fooling ourselves about our need to invest in security safeguards happens even without a risk assessment being performed.
- We need to educate our clients and external auditors about the standards that we are held to by law. We must help them understand that our risk assessments are our calculation of due care and our rationale for our safeguards, and that this is a legally required rationale for our security controls. And we must help external parties understand when their prescription for our controls actually increases our risks (which you can demonstrate with your risk assessment as well).
- We must be sure that the third parties that we contract with are conducting their risk assessments and managing controls that are reasonable and appropriate. In fact, we should start our audits of our third parties with the following question, “May I see your risk assessment so I understand the level of risk you are managing to?” We can also remind our contracted third parties that we will not demand that they implement controls that we design because that could cause them to redirect their security investments that may be better placed elsewhere.
So as I finalize my preparations for my CAMP IT presentation my one clear message will be this: We need a risk management tipping point in the U.S. We cannot realize the benefits of inter-organizational security exchange without a significant population taking part on these conversations. We already have many laws and regulations telling us to perform risk assessments, so our third parties will be satisfying their duty of care if they follow these laws and regulations. But we will only achieve that tipping point if we each commit to risk management as our own means for managing security and compliance, and as the primary way we engage in security conversations with other organizations.
Of Interest to Readers: I will be the Keynote Speaker at CAMP IT Conferences on June 20, 2013 in Rosemont, Illinois. I will be speaking on this and related issues. We’d love to see you there!