This one is about cloud computing and security, and makes a few cute points about security in general.

Given the emphasis in the RMF to promote the concept of near real-time risk management, Federal Agencies will need to become more effective on how to manage their information system-related security risks.  In my observations over the past decade, there have been significant changes in the Federal Government's approach to integrating security into the SDLC.  However, in most agencies there still remains a significant gap in proper use of Risk Management methodologies (i.e., applied at the top-level managing strategic risks and those used by individuals managing IT projects which seeks to manage tactical risks).  Without bridging the gap, information security risks identified and prioritized by federal agencies at the various organizational-levels will vary differently, making it more difficult to fully integrate security into an Organization- or Enterprise-Wide Risk Management approach.

The lack of proper Risk Management knowledge (both top-down and bottom-up) prevents the true adoption of a cost-centric Risk Management approach.  Organization must seek to integrate security at multiple organizational tiers (as depicted in NIST SP 800-37, Rev. 1 - Figure 2-1): Organizational Level Mission/Business Process Level, and Information System Level.  The integration of security risk management is not just cataloging the types of risks (human, natural, or environmental) identified through a NIST 800-30 risk identification model, but instead requires a broader viewpoint of security-related risk to ensure the risk strategy established by the senior leadership can be used to manage the risks at the strategic level.   Additionally, agencies need to have a mature process to prioritize security risks within each information system supporting the business/mission.  A mature risk prioritization process starts with developing a consensus between the various levels of the organization, thereby using the risk prioritizes to drive investment in mitigations based on a mission-oriented and business-oriented focus.

Therefore, NIST should place emphasis on their Phase I FISMA Implementation Scheduled (http://csrc.nist.gov/groups/SMA/fisma/documents/milestone-schedule-v43.pdf) to make a change in the date of the Risk Assessment Guide (NIST 800-30, Rev. 1) to an earlier date that would coincide with the publication of NIST SP 800-39 (“Integrating Enterprise-Wide Risk Management: Organization, Mission, and Information System View”).  Without an adequately skilled workforce that understands how to effectively identify, prioritize and communicate risks, agencies will not be able to determine which risks exceed the organization’s threshold for risk acceptance.

There are several instances in NIST 800-53 that focus on risk as a tool for managing the implementation of security controls.  However, most security professional supporting agencies are not properly trained to adequately present risk.  Risk is not always used to make the decision of how to prioritize the mitigations associated with weaknesses or deficiencies.  Information security professional tend to present a horizontal picture (or tactical viewpoint) to Authorizing Officials rather than from a holistic picture from a Risk Executive (a group or individual prioritizes risk based on the organizations strategic viewpoint).  The lack of proper risk professionals that can bridge the gap will never allow organization's to fully satisfy the Risk Executive (Function) as defined in the NIST SP 800-37, Rev. 1 - Roles and Responsibilities.  Until there are well-trained risk management professionals that can bridge the gap, organizations will continue to operate under two approaches to risk management (strategic and tactical).

• Quantitative versus qualitative risk analysis - the pros and cons of each, and innumerable associated methods, tools and techniques 
• Risk-based versus experience and good practice-based security investment decisions
• Risk- or experience-based versus compliance-based decisions
• All of the above versus risk-based standards such as ISO27k
• The futility of any form of information security risk analysis if management can undermine any argument versus the need for us to be "risk-focused", for various reasons expressed with varying degrees of hand-waving

This afternoon, I'm contemplating a different argument, the contrast between what general business and financial managers think of "risk" versus what it means to CISSPs.  For management, risk is something to be embraced and exploited, where appropriate, because risk brings opportunity.  For CISSPs, risk is something to be avoided, controlled/mitigated or transferred because it is BAD.  We're worlds apart.

So, how about we turn our argument on its head: instead of asking "How can we best minimize information security risk X?", ask "How much information security risk X can the organization stand before it becomes intolerable?" or, for kicks, "How lucky do you feel?".  I find this kind of approach quite liberating, in a funny sort of way, a bit like extreme sports.  Extreme CISSPs deliberately take chances and enjoy the thrill that entails.  I'm not talking about being totally reckless - we're still CISSPs at heart, so we understand the value of contingency measures - but knowingly pushing the boundaries where appropriate, in the full knowledge that some of our risk-taking will fail (just as it will even if we are ultra-conservative!).  The key to success, as in extreme sports, is to know when to stop the game, but the difference with this approach compared to the usual risk-averse-verging-on-paranoid traditional play is that we are not automatically saying "No!" to everything, so if and when we do actually say "No!", it inevitably has more impact. 

Taking this a step further, it is fascinating to discuss such an approach with management, particularly as they have more at stake being the information asset owners, accountable for their protection and exploitation.  It may be counterintuitive, but I suspect a CISO who asks "How much information security can we do without?" stands just as good a chance of getting the funding she needs for critical projects as her more traditional peers - but with a very definite additional advantage, namely the genuine management support that we stick-in-the-muds so often lack.

It's not directly about security, but the fact that it seems to be striking a chord with so many security bloggers and microbloggers is significant.

The article's closing words about the ways in which management may unwittingly demotivate staff are applicable to many, many people who aren't security professionals, of course:

"Many companies treat employees as disposable...

...Employees generally receive inadequate recognition and reward: About half of the workers in our surveys report receiving little or no credit, and almost two-thirds say management is much more likely to criticize them for poor performance than praise them for good work.

...Excessive levels of required approvals, endless paperwork, insufficient training, failure to communicate, infrequent delegation of authority, and a lack of a credible vision contribute to employees' frustration."

However, the point about criticism and reward is particularly apposite in enterprises where security is regarded as a blockage and a cost centre rather than an enabler. As indeed it is, in cases where security overrides business needs because it's convenient to the IT team. In many more cases, though,  Security administrators become depressingly accustomed to being recognized as the scapegoat in the event of a security breach, but not as a facilitator of smooth business processes when they run securely and uneventfully.

Indeed, it can be even worse, as Professor Eugene Stafford has pointed out in "Spaf's first principle of security administration":

If you have responsibility for security, but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong. (Practical Unix and Internet Security)

 As the authors of the Harvard article say "..there may be no single motivational tactic more powerful than freeing competent people to do their jobs as they see fit." However, a security autocracy is not always the best response to an evolving threatscape. In today's enterprise, competence entails seeing the whole business picture, not just the needs of a single team.

David Harley CISSP FBCS CITP
ESET Research Fellow & Director of Malware Intelligence

Since the inception of the project a few months ago, I have tried to establish a site that seeks to demonstrate a broad view of the cyber security community from both the national and international perspectives.  As I look for new opportunities to represent content, I spend a great deal of time identifying mechanisms that best facilitate the information in an easy-to-navigate manner.

Major features include:
- Shared Document Repository
- Top Sites Related to Cyber Security
- Security Content Automation Protocol (SCAP)
- Security Checklist Repository
- Security Tools
- Cyber Security Projects
- Cyber Security Videos
- Cyber Security News
- Cyber Security Related Tweets
- Cyber Security Jobs Posting
- Cyber Security Discussion Boards
- Cyber Security Directory Listings
- Cyber Security Articles

Additionally, within the Cyber Security Central Documentation Center, you will find valuable information relating to the cybersecuritycentral.com and other associated domains (fismacentral.com, diacapcentral.com, and cnsscentral.com), including policies, procedures, and other helpful information to better navigate and interact with the Cyber Security Central website.

If you have suggestion or recommendations for improving the site, please use the "General Comments" section of the Discussion Boards or contact me directly through the Contact Us form.

Finally, please visit the Cyber Security Central Documentation Center - New Features section for any major site update.