Tag Archives: risk management

Developing Your Scan in Information Risk Management

Cockpit Scan

Learning to scan is one of the most important skills any pilot develops when learning to fly.    In flying, scan is the act of keeping your eyes moving in a methodical, systematic, and smooth way so that you take in information as efficiently as possible, while leaving yourself mental bandwidth for processing that information.

While flying the aircraft, as you look out across the horizon, your scan might start near the left of the horizon and scan across to the right.  Then, upon approaching the right of the horizon, you drop your eyes down a little bit and start scanning back right to left and pick up some instrument readings along the way.  As you approach the left side, you might drop your eyes a little again, change directions, scanning left to right again.  You might repeat this one more time and then finally return back to where you started.  Then do it again.

The exact pattern doesn’t matter, but having a pattern and method does.

cockpit scan

One possible cockpit scan

At first, this is all easier said than done.  When you’re learning to fly, so much is uncertain.  You really don’t know much.  You want to lower your uncertainty.  There is a real tendency to want to know everything about everything.  But you’ll never know everything about everything.  Slowly, a budding pilot begins to learn that.

When I was learning to fly and while mistakenly trying to know every detail about every flight parameter, ironically I would end up (unhelpfully) having what I now call my “instrument of the day”.  I would get so focused on one thing, say the engine power setting, that I would disregard most of everything else.  (This is why there are instructor pilots.)  On the subsequent flight, the instrument might have been the altimeter where I’d be thinking, “By God, I’m going to hold 3,000 feet no matter what! I’m going to own this altitude!” Now the fact that I wasn’t watching anything else and we may have been slowing to stall speed was lost on me because I was so intent on complete knowledge of that one indicator or flight parameter.  (This is why there are instructor pilots.)

To develop an effective scan, you slowly learn that you can’t know everything.  You learn that you have to work with partial information.

You have to live with uncertainty in order to fly.  

By accepting partial information about many things and then slowly integrating that information through repetitive, ongoing scans, you gain what you need to fly competently and safely.  Conversely, if you focus solely on one or two parameters and really ‘know’ them, you’ve given up your ability to have some knowledge on the other things that you need to fly.  In my example above with engine power setting, I could ‘know’ the heck out of what that power setting was, but that told me nothing about my airspeed, altitude, turn rate, etc.  It doesn’t even tell me if I’m right side up. While we can’t know everything about everything, we do want to know a little bit about a lot of things.

“Scan” even becomes a noun.  “Develop your scan.”  “Get back to your scan.” “Don’t let your scan break down.”

Your flying becomes better as your scan becomes better.

After a while, that scan becomes second nature.  As a pilot gains in experience, the trick then becomes to keep your scan moving even when something interesting is happening, eg some indicator is starting to look abnormal (and you might be starting to get a little nervous).  You still want to keep your scan moving and not fixate on any one parameter —

Just because something bad is happening in one place does not mean that something bad (or worse) is not happening somewhere else.

The pilot’s scan objectives are:

  • Continually scan
  • Don’t get overly distracted when anomalies/potential problems appear — keep your scan moving 
  • Don’t fixate on any one parameter — force yourself to work with partial information on that parameter so that you have bandwidth to collect & integrate information from other parameters and other resources
  • If disrupting your scan is unavoidable, return to your scan as soon as possible

Maintaining Your Scan In Information Risk Management

This applies to Information Risk Management as well.  We want to continually review our information system health, status, and indicators. If an indicator starts to appear abnormal, we want to take note but continue our scan.  Again, just because an indicator appears abnormal doesn’t preclude there being a problem, possibly bigger, somewhere else.

An Information Risk Management 'scan' can be similar to a cockpit scan

An Information Risk Management ‘scan’ can be similar to a cockpit scan

A great example is the recent rise in two-pronged information attacks against industry and government.  Increasingly, sophisticated hackers are using an initial attack as a diversion and then launching a secondary attack while a company’s resources are distracted by the first attack.  A recent example of this sort of approach is when the Dutch bank, ING Group, had their online services disrupted by hackers and then followed with a phishing attack on ING banking customers.

This one-two punch is also an approach that we have seen terrorists use over the years where an initial bomb explosion is followed by a second bomb explosion in an attempt to target first-responders.

(As an aside, we know Boston Marathon-related phishing emails were received within minutes of news of the explosions.  I don’t know whether this was automated or manual phishing attacks, but either way, someone was waiting for disasters or other big news events to exploit or leverage.)

I believe that we will continue to see more of these combination attacks.  Further, it is likely that not just one, but rather multiple, incidents will serve as distractions while the real damage is being done elsewhere.

To address this, we must continue to develop and hone our scan skills.  We must:

  • Develop the maturity and confidence to operate with partial information
  • Practice our scan, our methodical and continual monitoring, so that it becomes second nature to us
  • Have the presence of mind and resilience to return to our scan if disrupted

 

Do you regularly review your risk posture? What techniques do you deploy in your scan? What are your indicators of a successful scan?

 

Password management in small & medium sized businesses

Poor password policies and management can be an Achilles heal for any business.  Making it more challenging for small and medium sized businesses is that they often cannot afford to implement or support full Identify Access Management systems.  There is, however, some middle ground.

What Floyd the Barber knew about information risk management

The Mayberry Model

Watch the till and lock the door at night. If you were opening a small business 30 years ago, your major security concerns were probably to keep an eye on the till (cash register) during the day and to lock the door at night.  It reminds me a little bit of the Andy Griffith Show which ran in the 1960’s about a small fictional town called Mayberry RFD in North Carolina.  Mayberry enterprises included Floyd’s Barbershop, Emmett’s Fix-It Shop, and Foley’s Grocery.

mayberry

Floyd didn’t need a risk management program, much less an IT risk management program to run his business.  It was pretty easy to remember — watch the till and lock the door.   He could also easily describe and assign those tasks to someone else if he wasn’t available.    Further, it was fairly easy to watch the till:  Money was physical — paper or metal — and it was transferred to or from the cash drawer. He knew everyone that came into his shop.  Same for Emmett and his Fix-It Shop.  Plus they had the added bonus of a pleasant bell ring whenever the cash drawer opened.  This leads us to the MISRMP (Mayberry Information Security & Risk Management Plan).

cash_register1

Mayberry Information Security and Risk Management Plan:

  • Watch the till 
  • Lock the door at night
  • Make sure the cash register bell is working

Today’s model

Fast forward to a small business today, however, and we have a different story.  Today, in our online stores selling products, services, or information, there is no physical till and probably little to no physical money.  There are online banks, credit cards, and PayPal accounts and we really don’t know where our money is.  We just hope we can get it when we need it.

There are not actual hands in the till nor warm bodies standing near the till when the cash drawer is opened. There is no soft bell ring to let us know the cash drawer just opened.  We don’t know the people in the store and they don’t go away when the front door is locked.  Our customers shop 24/7.

Further, instead of a till with a cash drawer, our businesses rely on very complex and interconnected equipment and systems — workstations, servers, routers, and cloud services — and we don’t have the time to stop and understand how all of this works because we’re busy running a business.  Floyd’s only piece of financial equipment was the cash register (and Emmett could fix that if it broke).

This new way of doing business has happened pretty fast. It is not possible to manage and control all the pieces that make up our financial transactions.  We also have a lot more financial transactions.  While the Internet has brought many more customers to our door, it has also brought many more criminals to our door.  Making the situation even more challenging, we largely don’t have the tools in place to manage our information risks.

Floyd the Barber

Floyd the Barber

What Floyd knew (and we don’t): 

  • who his customers were (knew them by face and name)
  • what their intentions were (wanted to purchased a haircut or shave or steal from the till)
  • where his money was (in the till, in the bank, or in his pocket while being transferred from the shop to the bank)
  • when business transactions occurred ( 9:00 – 5:00 but closed for lunch and closed on Sundays)
  • what was happening in his store after hours (nothing)

That is to say, Floyd had much less business uncertainty than we must contend with today.  He could handle most of his uncertainty by watching the till and locking the door at night. Our small and medium sized businesses today, though, are much more complex, have much higher levels of uncertainty, and need be risk managed to allow us to operate and grow.

As Floyd managed his security and risk to operate a successful business, so must we — ours is just more complicated.

What are the 3 biggest IT & Information Management risks that you see affecting your business?

 

Where to begin with IT risk management

Starting an IT risk management program in the traditional sense appears daunting, and usually is, to a small or medium-sized business.  This is one of the reasons that they often don’t get started.  To make the insurmountable surmountable, start a simple risk register.  If you haven’t already, start one today.  Napkins, yellow legal pads, Moleskine notebooks, Evernote notes, etc all work to start.

Starting and developing a risk register will:

  • increase your situational awareness of your environment
  • serve as the basis of a communication tool to others
  • demonstrate some intent and effort towards due care to auditors and regulators
  • provide the basis of future more in depth analysis (as resources allow)

The simplest risk register will have three columns — a simple risk description, a likelihood of the event happening, and the impact of it happening.  (Adding a fourth column that contains the date of when you added the risk can be helpful, but is not required).

moleskineriskregister

Start with writing down the risks as soon as you think of them. If you haven’t done this before, several will probably pop into your head right off.  The act of writing something down is deceptively powerful. It makes you articulate the problem and maybe revisit a couple of your assumptions about the problem.  That said, don’t go nuts analyzing any particular risk when you start. Just get the core idea down, maybe something like, “PII loss resulting from laptop theft” or “reduced support effectiveness because of lack of BYOD policy.”

After you’ve got a dozen or so, take a break for now (you’ll add more later), and review the whole list. Make two columns next to this list. Label one column ‘probability’ and the other column ‘impact’. Next to each risk, write down what you think the likelihood of that event occurring — just High, Medium, or Low. Nothing fancier than that. Same thing with impact — how bad would it be if this event occurred? What’s the impact?  Again, just High Medium or Low.

When you have a few minutes, you can structure this a little bit more by putting this in a table.  I like using Powerpoint or Keynote over Excel/Numbers for this stage.  By using Powerpoint’s cartoonish and colorful tables, I tend to stay oriented to the fact that I’ll be communicating these risks (or some of these risks) later on.  If I use Excel for this, I tend to get overly analytical and detailed.  It starts to become more of a math problem vs something that I will be communicating to others.

SampleRiskRegister3

(click to enlarge)

Keep in mind, that it is very easy to over-design beyond the point that is useful to you right now.  And you want it to be useful to you right now.  At this point, you are creating a simple document that informs you in that brief moment of time that have to look at it.  You don’t want a document that taxes you right now.  It needs to give you a quick easily digestible and broad view of your risk picture.  If the document gets too complicated or goes into too much detail, you increase the likelihood that you won’t pick it up again tomorrow or in a week or in a month.

In an upcoming post, we’ll create a simple visualization tool, called a heat map, that can be very helpful in providing a profile of your risk picture.

Do you currently use a risk register now?  How did you create it?  How do you maintain it?

Companies in the long tail & information risk

I contend that at least half of the companies in the US and other industrialized countries are critically overexposed to IT & Information Management risk and that this population of highly vulnerable companies is primarily compromised of medium and small sized companies, aka SME’s (Small and Medium sized Enterprises).

The problem is that the techniques and approaches in the fairly fledgling field of IT risk management usually are developed from or apply to very large companies that differ significantly in scale from SME’s.

Often the IT risk management techniques envisioned for large companies don’t scale down to SME’s. For SME’s, quantities of analytical data, staffing, operational bandwidth are all in short supply.  Also, because of their smaller size, impacts such as total dollar loss from adverse information events such as hacking, malware, fraud, etc are usually lower than that of large companies and compromises, breaches, disclosures can be less newsworthy per event.  However, there are a large number of small and medium size companies.

It turns out that company sizes in industrial countries follow the Zipf distribution where a few very large companies coexist with a lot of much smaller companies.  This is a similar distribution to what Chris Anderson popularized in his Wired magazine article The Long Tail in 2004.  For example, Anderson talks about the record industry historically focusing on the revenue generated from hits (few in number but large in revenue) and missing the fact that there were many non-hit songs generating substantial revenue when viewed in aggregate.  Similarly, there are a few really big companies and a lot of smaller companies.   This high number of smaller companies (like the number of non-hit songs) is the part known as the long tail.  And this is the part suffering the overexposure to information risk because of a lack of tools, methods, and shared approaches between companies.

longtailgraphic3

The challenge is that many of the information risk management techniques and processes used by the relatively few very big companies don’t work well for smaller companies.  This is due largely, but not entirely, to resource constraints of smaller companies.   Staff in smaller companies frequently wear multiple hats and are eyeball-deep in sales, innovation, marketing, infrastructure development, and management of risk is often down the priority list.

As a whole, we end up with part of the population, the few large companies, with reasonable IT risk management capabilities and the other part, the medium and small companies, with poor IT risk management capabilities.

For the sake of argument, say that half the working population is in the few very large companies and the other half is in many small and medium size companies.  Oversimplifying a bit, this means that half of the working population are in companies able to manage risk and the other half are in companies that can’t.

What can be done to enhance the capability of that half that currently can’t manage information risk effectively (or at all)?  What can we do to provide small and medium sized companies risk management tools that are pragmatic and implementable? We need techniques and mechanisms and to share learned experiences in performing risk management in small and medium sized companies.

Do you work in a small to medium sized company? How do you address IT risk management? What other reasons do you see for lack of IT risk management in medium and small sized companies?