The bad news about Big Data: This business trend means enterprises now have more valuable information within their systems that must be protected.
The good news about Big Data: The analytics and business intelligence that come along with the trend can also be used to improve risk management within organizations.
The threat landscape for companies has changed in the past few years. “Script kiddies” out for fun have been replaced by better-organized hackers with agendas that involve financial damage. That has led corporate executives to ask more pointed questions about risk assessment and the impact on their businesses.
Those were some of the points brought up in a discussion on new directions and solutions in risk management during the recent Open Group Conference in Newport Beach, Ca. Panelists included Jack Freund, PhD, the information security risk assessment manager at the Teachers Insurance and Annuities Association-College Retirement Equities Fund; Jack Jones, principal of CXOWare and inventor of the Factor Analysis Information Risk (FAIR) framework; and Jim Hietala, vice president of security for the Open Group.
The discussion was led by Dana Gardner, principal analyst at Interarbor Solutions.
Download the podcast (32:24) or use the player:
Here are some excerpts:
Dana Gardner: Why is the issue of risk analysis so prominent now? What’s different from, say, five years ago?
Jack Jones:The information security industry has struggled with getting the attention of and support from management and businesses for a long time, and it has finally come around to the fact that the executives care about loss exposure — the likelihood of bad things happening and how bad those things are likely to be.
It’s only when we speak in those terms of risk that we make sense to those executives. And once we do that, we begin to gain some credibility and traction in terms of getting things done.
Gardner: So we really need to talk about this in the terms that a business executive would appreciate, not necessarily an IT executive.
Jones: Absolutely. They’re tired of hearing about vulnerabilities, hackers and that sort of thing. It’s only when we can talk in terms of the effect on the business that it makes sense to them.
Gardner: Jack Freund, I should also point out that you have more than 14 years in enterprise IT experience. You’re a visiting professor at DeVry University and you chair a risk-management subcommittee for ISACA. Do you agree?
Jack Freund: The problem that we have as a profession, and I think it’s a big problem, is that we have allowed ourselves to escape the natural trend that the other IT professionals have already taken.
There was a time, years ago, when you could code in the basement, and nobody cared much about what you were doing. But now, largely speaking, developers and systems administrators are very focused on meeting the goals of the organization.
Security has been allowed to miss that boat a little. We have been allowed to hide behind this aura of a protector and of an alerter of terrible things that could happen, without really tying ourselves to the problem that the organizations are facing and how can we help them succeed in what they’re doing.
Gardner: Jim Hietala, how do you see things that are different now than a few years ago when it comes to risk assessment?
Jim Hietala: There are certainly changes on the threat side of the landscape. Five years ago, you didn’t really have hacktivism or this notion of an advanced persistent threat. That highly skilled attacker taking aim at governments and large organizations didn’t really exist — or didn’t exist to the degree it does today. So that has changed.
You also have big changes to the IT platform landscape, all of which bring new risks that organizations need to really think about. The mobility trend, the cloud trend, the big-data trend that we are talking about today, all of those things bring new risk to the organization.
As Jack Jones mentioned, business executives don’t want to hear about, “I’ve got 15 vulnerabilities in the mobility part of my organization.” They want to understand what’s the risk of bad things happening because of mobility, what we’re doing about it, and what’s happening to risk over time.
So it’s a combination of changes in the threats and attackers, as well as just changes to the IT landscape, that we have to take a different look at how we measure and present risk to the business.
Gardner: Because we’re at a Big Data conference, do you share my perception, Jack Jones, that Big Data can be a source of risk and vulnerability, but also the analytics and the business intelligence tools that we’re employing with Big Data can be used to alert you to risks or provide a strong tool for better understanding your true risk setting or environment?
Jones: You are absolutely right. You think of Big Data and, by definition, it’s where your crown jewels, and everything that leads to crown jewels from an information perspective, are going to be found. It’s like one-stop shopping for the bad guy, if you want to look at it in that context. It definitely needs to be protected. The architecture surrounding it and its integration across a lot of different platforms and such, can be leveraged and probably result in a complex landscape to try and secure.
There are a lot of ways into that data and such, but at least if you can leverage that same Big Data architecture it’s an approach to information security. With log data and other threat and vulnerability data and such, you should be able to make some significant gains in terms of how well-informed your analyses and your decisions are, based on that data.
Gardner: Jack Freund, do you share that? How does Big Data fit into your understanding of the evolving arena of risk assessment and analysis?
Freund: If we fast-forward it five years, and this is even true today, a lot of people on the cutting edge of Big Data will tell you the problem isn’t so much building everything together and figuring out what it can do. They are going to tell you that the problem is what we do once we figure out everything that we have. This is the problem that we have traditionally had on a much smaller scale in information security. When everything is important, nothing is important.
Gardner: To follow up on that, where do you see the gaps in risk analysis in large organizations? In other words, what parts of organizations aren’t being assessed for risk and should be?
Freund: The big problem that exist largely today in the way that risk assessments are done, is the focus on labels. We want to quickly address the low, medium, and high things and know where they are. But the problem is that there are inherent problems in the way that we think about those labels, without doing any of the analysis legwork.