I don’t like to pick bones with my fellow ISACAeans, but when I saw this in the Journal recently, I had to react. Can you pick out the problem?
IT enterprise security risk assessments are performed to allow organizations to assess, identify and modify their overall security posture and to enable security, operations, organizational management and other personnel to collaborate and view the entire organization from an attacker’s perspective. This process is required to obtain organizational management’s commitment to allocate resources and implement the appropriate security solutions.
Did you see it? You might want to check out my other quotes to see what has tripped my trigger in the past. Search for “quote of the weak” in the Search box in the upper right of the blog.
If you think you see the problem, leave me a comment. If no one sees it in a couple of days, I’ll give a hint.
P.S. No, it doesn’t have anything to do with nanny cameras, so don’t go there (U know who U R).
Update 1 – Hint
Think about this phrase:
“view the entire organization from an attacker’s perspective”
Update 2 – Conclusion
The issue that I noticed is that the entire risk assessment is from “the attacker’s perspective.” Since when are attackers the only factors that affect risk?
What about administrators who unknowingly misconfigure a shared drive or implement encryption in an insecure manner? What about a security administrator who disables antivirus software to load some hacking software, and then forgets to turn it back on?
What about a regular user who accidentally enters the wrong sales figure (two extra zeros) and no one notices?
What about acts of God? Can’t forget him.
Risk assessments must also include mistakes and disasters, not just attackers. Otherwise, organizations won’t be able to “assess, identify and modify their overall security posture.”
Update 3 – Accidental ignorant
I just read that ISACA calls a person who causes security and fraud violations or problems by mistake an “accidental ignorant,” a term I’ve never heard before, one that makes me chuckle. I guess that’s better than being a purposeful ignorant.
You’ll find the phase in the CISA manual (last bullet on page 354).
ITauditSecurity 
Stab in the dark. An attacker’s assessment of a firm’s security will differ from those responsible for defending attacks. IT specialists will have to cover all bases, rather one specific attack at a weaker area.
LikeLike
AuditMonkey,
That’s true, but not what I’m focusing on.
Think about what’s NOT in that statement…
LikeLike
There are two non sequitars in there.
“IT enterprise security risk assessments are performed….view the entire organization from an attacker’s perspective”.
I would disagree, as the perspective when performing the risk assessment is from the firm’s point of view.
“This process is required to obtain organizational management’s commitment to allocate resources…”etc.
Again doesn’t follow that this process will be followed, and second, it will result in the immediate allocation of resources.
Probably not the answer you are looking for but it’s Sunday and my day off!
LikeLike
AuditMonkey,
As you noted, several problems exist with this quote. Thanks for your input.
LikeLike