Yeah But… So What?
I’ve found several strange by-products as I’ve been evolving my risk analysis dogma. I’ve found that I’ve been challenging the traditional security dogma a whole lot more by asking “yeah but… so what?” I think this shift in my approach is best summed up by the first slide Jack Jones presented in FAIR training: “management doesn’t doesn’t care about security, they care about risk.” Meaning talking in terms of vulnerabilities found or what-if cases of just bad security is largely irrelevant. Whether we realize it or not, decision makers must translate that security message into a risk message because that’s what they care about. And that’s where disconnect occurs – the security geeks are flailing around about bad security and the decision makers are not seeing the correlation to risk.
I feel quite fortunate that I have a guy in my leadership chain that provides instantaneous feedback on which side I’m speaking on. His feedback is through subtle body language. If I slip into talking about bad security, he’ll lean back or check papers in front of him, perhaps look around. He’ll pretty much do anything except look like he cares. Now if I start talking in terms of probabilities, loss amounts or tangible business loss scenarios his eyes are front and center. It’s a nice feedback mechanism.
Even though the catchy phrase came from FAIR, it’s not an exclusive FAIR approach (though it lends itself beautifully to it), this is a universal perspective we need to adopt. Even if the assessment is putting likelihood and impact on a high/medium/low scale, if the loss is not a tangible loss it’s probably projecting FUD. Let me walk through an example:
The “What-If” Stolen Laptop
Here’s the scenario, a single-task tablet PC in a public (controlled) area. Not very specific, but this is how it was presented to me. The person presenting this to me was biased towards saying “no” to this new business project based on security. So the case for “no” was laid out: it was in a region with higher than average theft rates, if stolen, a skilled attacker could bypass multiple layers of controls and gain privileged information, possibly leading to a leap-frog attack back into our own network.
My first approach was to point out that the probability of these independent events all occurring is multiplicative but that punch failed to land. So I went with it and said, “let’s assume all that lines up… So What?”
“so they could get into critical system X”
“Okay, but so what?”
“so they could access confidential data”
“okay, but so what?”
You can see the pattern here and where I was heading. After quite a few rounds I had my traditional security thinker shifting his focus from thinking in terms of the security impact to business impact: costs of customer notifications, credit monitoring, etc. Using a white board and jotting down some wild guesses we tossed out a range of really bloated, bad-case dollar figures to try and convert the event to a comparable unit. It was fairly obvious that even if there was a loss event, our bad-case figures weren’t scary enough to run chicken little style through the halls. But the shift we made here was to talk about this “bad” thing in terms of business risk and not bad security.
What if we stopped before putting dollar figures on it? Let’s take credit monitoring. If we presented that we’d have to offer credit monitoring for some quantity of customers that still requires translation into risk. How much can we get a bulk purchase of credit monitoring for? What is the adoption rate by customers of the offer? Answering these questions not only gives the decision makers a better understanding of security risks but also gives the security practitioner an understanding of business.
Knife to a Gunfight
I think this is the type of thing that drives me crazy about discussing security with some “traditional” pentesters and uninitiated auditors. The word “fail” is tossed around way to easily. Even though it’s fun to slap “FAIL” on things, there is no fail, only more or less probable loss and weak or missing controls does not a loss event make. The point is this, we cannot bring a knife to a gunfight. Wait, let me restate that, we can’t bring security to a risk discussion. We have to start asking ourselves “so what” and determining what the real loss events are and more importantly what that means to the business.