I hope readers got something from Part 1 of last week’s blog on risk. I can’t begin to emphasize enough how risk helps drive home the importance of information security (infosec), especially to those in charge. Before we address the remaining questions from last week, let’s talk a bit about some additional benefits of adopting a more formal approach to managing infosec risk.
Unless your organization has a chief risk officer (CRO) or a mature programmatic approach to managing risk, chances are good risk is dealt with ad hoc. What’s so bad about managing enterprise risk this way? While not intended to be a comprehensive list, here are some reasons why you might want a bit more form and structure.
One, consistency. In the context of infosec, it helps everyone involved understand how the organization will respond to risk. For example, your security team will determine how they respond based on the perceived risk. Perhaps with a low risk, they just make a note of the situation and share the info with their co-workers. In situations where the risk is felt to be very high, perhaps the chief information security officer (CISO) is notified immediately via text to communicate with management, etc.
Two, planning and efficient use of resources. Regardless of how an agency tracks (or doesn’t track) resource usage, resources aren’t infinite. This also includes staff time, and goes so far as lost opportunity costs. For instance, if your whole security team is assigned to work an investigation, then that is time lost from other efforts. Another way of looking at it is a cost/benefit analysis. Would you hire a third-party company to investigate security events at $400/hour? (This is not inflated – top tier security companies charge this kind of money.) If it is an event that appears to be a low risk (reminder: risk is the likelihood of something happening and what the impact would be if it did), then perhaps you wouldn’t. If you know you have an intrusion and key public services aren’t working, that’s a different story.
These examples above lend themselves to our remaining questions from last week, which are:
- What is your agency’s sensitivity or tolerance towards risk?
- What are the agency’s thresholds for information security risk?
According to the Project Management Institute, risk tolerance is how much risk a person or organization can handle. Last week we talked about risk appetite and how government agencies tend to be very risk-averse, especially when an agency’s reputation is on the line. This was the biggest reason why every county that I know – mine included – was so focused on the 2020 election cycle. Significant resources were spent in preparing for and protecting the elections, especially the general election on Nov. 3. Additional security services were procured and implemented. My security operations (SecOps) team created and updated our election incident response playbooks all year. We also conducted multiple tabletop exercises throughout 2020, both technical and with our Recorder/Elections department. For the general election, we also requested assistance from other technology teams to monitor services and network performance so my SecOps team could focus more on social media monitoring.
Given the heated rhetoric around the 2020 election cycle, Maricopa County was already on high alert. But what also lowered our infosec risk tolerance level even further was what we observed earlier in the year. We had examples of attempted interference in the presidential preference as well as in the primary election. As a result of this additional insight we shared with management, our risk tolerance was lowered, given the increased likelihood of interference, coupled with an event that had the possibility of reflecting poorly on our agency.
There are many factors that will determine an agency’s tolerance to risk. It’s up to your infosec leadership (or your chief information officer/IT director, if you don’t have a CISO or equivalent) to help your agency management, board or council articulate their tolerance.
This brings us to our last question – What are your agency’s infosec risk thresholds? (Before we get too far down this last rabbit hole, if you need a primer on the concepts we’ve discussed – risk appetite, tolerance and threshold – please check out this page.)
If risk tolerance is how much risk a person or organization can handle, risk threshold is a detailed, quantifiable description of this tolerance. However, many government agencies have a hard time articulating this with any specificity. The most common way to do so is financially. For example, your agency may say that any infosec event that causes more than $50,000 in damages or loss of service will trigger the outsourcing of a third party to investigate and remediate the situation. In non-infosec terms, if you apply this concept to project management, a project risk threshold might be a project not being allowed to overrun the original budget by 20% or more. Perhaps if a project goes over this amount, it results in the project being canceled.
While money might be a clear way to delineate direction, quantifying risk thresholds using factors other than money may be more challenging. How do you quantify reputation? Interestingly enough, there are tools and services that do exactly that. It’s up to your organization to decide whether the cost of a tool or service is worth the benefit of quantifying risk based on more intangible variables, like reputation. In my experience, especially when you’re beginning your risk journey, anything you do, as long as it’s consistent and objective is a sore sight better than winging it.
I hope that this conversation these past two weeks on risk gets you thinking about your agency’s risk posture, regardless of your organizational maturity!
Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to [email protected] And to read more from our Winter 2021 Cohort, here is a full list of every Featured Contributor during this cohort.
Lester Godsey is the Chief Information Security and Privacy Officer for Maricopa County, Arizona, which is the fourth most populous county in the United States. With over 25 years of higher education and local government IT experience, Lester has spoken at local, state and national conferences on topics ranging from telecommunications to project management to cybersecurity and data. His current areas of professional interest center around IoT (Internet of Things) technology and data management and the juxtaposition of these disciplines with cybersecurity. You can follow Lester on LinkedIn.