RiskLens Risk Science Director Dr. Jack Freund is just out with an article for Dark Reading, “ Unreasonable Security Best Practices vs. Good Risk Management,” that in a few choice words, takes down the whole mental structure of frameworks-first cybersecurity.
Jack starts with a story about a consulting assignment for a bank where “the security leader held the viewpoint that, eventually, the process would result in all of the controls in NIST SP 800-53 being implemented. As a result, the model they developed was designed to give good risk ratings when more controls were implemented and bad ratings when those controls were missing.
“This person is not alone in the belief that more controls equals less risk...So sure are we in the belief that we need more security that we tend to believe that only perfection will do. Security conferences are rife with these axioms, such as ‘we need to get it right every time; hackers only need to get it right once.’ Such views are pessimistic and dissuade business leaders from taking the actions they need to properly secure themselves. Why should they bother if they can't get it perfect?”]
Jack, the co-author with Jack Jones of the FAIR book, Measuring and Managing Information Risk, takes it from there to outline a “mature way to talk about cyber risk appetite” as a range of acceptable loss over time. If you’re in an organization still bent on letting the unreasonable perfect get in the way of the good, forward Jack’s article to your distribution list now.
Read Unreasonable Security Best Practices vs. Good Risk Management in Dark Reading.