I don’t like to pick bones with my fellow ISACAeans, but when I saw this in the Journal recently, I had to react. Can you pick out the problem?
IT enterprise security risk assessments are performed to allow organizations to assess, identify and modify their overall security posture and to enable security, operations, organizational management and other personnel to collaborate and view the entire organization from an attacker’s perspective. This process is required to obtain organizational management’s commitment to allocate resources and implement the appropriate security solutions.
Did you see it? You might want to check out my other quotes to see what has tripped my trigger in the past. Search for “quote of the weak” in the Search box in the upper right of the blog.
If you think you see the problem, leave me a comment. If no one sees it in a couple of days, I’ll give a hint.
P.S. No, it doesn’t have anything to do with nanny cameras, so don’t go there (U know who U R).
Update 1 – Hint
Think about this phrase:
“view the entire organization from an attacker’s perspective”
Update 2 – Conclusion
The issue that I noticed is that the entire risk assessment is from “the attacker’s perspective.” Since when are attackers the only factors that affect risk?
What about administrators who unknowingly misconfigure a shared drive or implement encryption in an insecure manner? What about a security administrator who disables antivirus software to load some hacking software, and then forgets to turn it back on?
What about a regular user who accidentally enters the wrong sales figure (two extra zeros) and no one notices?
What about acts of God? Can’t forget him.
Risk assessments must also include mistakes and disasters, not just attackers. Otherwise, organizations won’t be able to “assess, identify and modify their overall security posture.”
Update 3 – Accidental ignorant
I just read that ISACA calls a person who causes security and fraud violations or problems by mistake an “accidental ignorant,” a term I’ve never heard before, one that makes me chuckle. I guess that’s better than being a purposeful ignorant.