Monday, 21 January 2013

Myth #7: A security review is just an audit

Here’s the thought process behind this myth: security is just risk management; risk management underpins compliance; compliance is driven by audit; audit is well understood.  There are many well defined and accepted audit methodologies for areas such as finance (SOX, SAS 70), process (COBIT) and security (ISO 27001).  Therefore any competent auditor, with an appropriate checklist should be able to perform a security review.

All risk management methodologies, whether qualitative or quantitative assume that risk is the product of impact (what will the loss be if the event occurs) and likelihood (how likely is the event).  Using this methodology events which are catastrophic but rare, and events which are insignificant but almost certain may both be labelled as medium risk.  And the beauty of medium risk events is that they are almost always accepted by the business.

The problem is that this analysis is fundamentally flawed when considering security.

The risk management methodology is designed for random and accidental events.  It is well understood how often buildings burn down.  It is well understood how long the average power failure will be.  This is true because actuaries have been recording tables of unlikely events for more than 100 years.  But IT security isn’t old enough as a discipline to have actuarial tables, which is exactly why you can’t buy anti-hacking insurance.

The insurers know something that businesses haven’t worked out yet.  Attackers completely control the likelihood.  If they have decided to attack, the likelihood is almost certain, no matter how it’s been assessed in a risk methodology.  Being hacked isn’t accidental and it isn’t random.  Remediation of all security vulnerabilities with high impact rather than just high risk is required to improve security.

But if you ask an experienced security specialist to undertake a security review with a current and appropriate checklist, and then you act on all the high impact findings, it’s plausible that you will be more secure.

Phil Kernick Chief Technology Officer