The 2013 RSA Conference provides a terrific venue for industry leaders to share and communicate, but one topic, I couldn’t help but notice a dramatic rise in interest: Risk Management. Over the past three RSA Conferences, I have seen our Risk Management seminar increase from a peer-to-peer session of 25 people two years ago to more than 800 people at this year’s session — and with good reason.
The idea of risk management resonates deeply within the industry, including the need and practice of risk management and the desire to bond security, data analytics and the business. A well-rounded discussion was generated from the audience that focused on a number of pivotal ideas of risk management: What does risk management mean to an organization? How does an organization measure success? How can an organization work more collaboratively to push back against threats?
Risk Management and the Business
As we in security continue to study and execute the science behind risk management, we understand more and more that it cannot be managed in a bubble. Risk management, to be truly effective, must move into the business. Ultimately, the security organization cannot accept the notion of an impenetrable or perfect system as a matter of doing business. By evangelizing risk management into the business, we create a new sense or priorities and responsibilities in which non-security and non-IT business users assume risk management as their own.
When this occurs, perspective is gained on how other units respond to risk, even down to financial management and financial risk. In that regard, risk management no longer lives in a vacuum and advocates begin to pop up throughout the organization. These advocates will expand the network of risk management and operate in a way that bolsters an organization’s security posture. That was an important message from this year’s RSA Conference.
How to Define Success
I received feedback from the floor that first agreed that this approach — getting closer to and working with the business and embedding risk within the business — is well-reasoned and fundamentally strong. But the individual followed up with a simple question. How do we measure our success?
Perhaps the simplest method is to account for the amount of people discussing risk within your organization. Within EMC, for example, risk was once only talked about within the office of the Chief Risk Officer, the Global Security Organization or IT. However, we decided that this conversation had to be more proactive and robust with other segments of the business. Through the creation of our Governance, Risk and Compliance Council, we now have risk being discussed at the executive level and committee level within each business unit inside and outside of IT. Altogether, we now have nearly 200 people regularly talking about risk within EMC.
Yet, successful risk management runs deeper, even to the behavioral level. We noticed change had taken effect when business units began creating and reporting budgets to manage risk and secure their systems, rather than expecting IT or a central fund to generate a budget. This told us that risk management had become a priority, in this case with our engineer teams. It is an encouraging sign to see parts of the business drive security themselves, and at EMC, we’ve seen similar initiatives in many different business units.
It can be viewed as a push versus pull mentality. A centralized source — for example, the security organization — can create a security budget for a business unit (Push). However, when that business unit creates the budget itself (Pull), that’s when real change begins to occur and a new internal mindset materializes. Rather than security telling the business what to do, which is a bit like the tail wagging the dog, when the business embraces risk management as its own, the reverse takes effect.
Working Together to Combat Threats
A collaborative effort in risk management lends itself to the overall theme of the RSA Conference — “Security in Knowledge.” The theme evokes the importance of security analytics, and the combination of knowledge and data. But how do we combine knowledge and data, and manipulate them so we can apply them to security? That is an important question as we piece together actionable data that serves our increasing security efforts.
This brings us back to the imperative nature of information sharing. If we all act independently to secure ourselves against a known set of adversaries, then as an industry and as a community, we all go through a similar effort. In this scenario, the adversary could feasibly attack multiple organizations using the same technique and find success. However, through security analytics and a sharing component, we can bind together as a community and make life much more difficult for the bad actors out there.
As we look at our own data around security, we’re getting more security events and information coming from different pieces of technology than ever before. We look at that data and establish a pattern of behavior so we can begin to predict what the adversaries are doing. We can separate their actions from what normal behavior and strengthen our ability to detect anomalies.
The better and faster we detect anomalies, the better we understand the threats we face and the more secure our organizations become. Once we start to get actionable intelligence coming out of our analysis, we can drive that back into the business and change our behaviors and risk accordingly.
Risk management, cooperative behaviors and analytical tools were of great focus at RSA Conference. Together, they offer game-changing opportunities from a defensive point of view and could spark new, innovative practices and theories that progress security well into the future.
To learn more from the 2013 RSA Conference, I recommend viewing this year’s keynote addresses, including one delivered by Arthur Coviello, Executive Chairman of RSA, titled “Big Data Redefines Security” which you can watch here.