It always kinda surprises me when I meet a new security team, or even a new security professional, who balks at the notion that risk assessment is a core part of what they do. In some cases, this attitude is institutionalized as team dynamics, so that if the designated “risk team” gets even the slightest whiff that someone other than them are doing a “risk assessment” then the skies open and fire and brimstone start pelting the countryside.
Or, then there’s the harried, overworked SOC analyst who adamantly claims they don’t have time to do a risk assessment because they have all of this threat intelligence to classify.
Or, maybe it’s the security engineering team who waves you away because they’re too busy doing threat models of their latest DevOps iteration.
Hmmmm…..
Yeah. Ok.
The point is that risk assessments are done by everyone, every day of their life. They don’t have to be some sort of heavyweight process that takes weeks just to decide whether or not jaywalking across the street to get your Starbucks fix is a “safe enough” trade-off rather than walking 10 minutes out of your way, fidgeting with caffeine withdrawal jitters, so you can square-corner it and follow the rules to the letter.
Yes, it’s not “formal”, and no, you don’t have the documentation of what’s in your head at the time…
…but that doesn’t mean it’s not a risk assessment just the same.
Of course, that’s not good enough when you’re asked to prove your assessments because your findings are potentially going to send an organization of 30,000 people into a tizzy and drop a minimum of $5 million on mitigations. People want proof.
I get that, and I also agree with it.
That’s why our job as security architects needs to be to creating all the “tools” necessary in order to allow the busy people – including us – focus on the risk decisions we get paid to make…
…while at the same time minimizing – or even eliminating entirely – the rigorous work it takes to document, justify and communicate our rationale, findings and choice of mitigations.
How do we do that?
Yes, you, there in the back waving their hand so hard it’s likely to fall off your wrist. What do you think?
Correct.
It’s by having a clear, usable and well understood security architecture we can use as the foundation for anyone, anywhere in the security team, to make justifiable and accurate risk-based decisions as quickly as possible.
Funnily enough, if you have an architecture development method that’s so integrated with your risk assessment methodology that…
They. Are. The. Same…
…then it becomes shockingly easy to accomplish both things at the same time. All the information you need (or at least most of it), is there, ready to go. You do your thing, and then everyone else automatically gets the cumulative benefit – and ongoing adjustments and corrections – of your work.
It’s actually pretty cool, not to mention fantastically powerful.
And, unfortunately, seeing it in the wild is also nearly as rare as hen’s teeth. Because:
- people don’t build the right kinds of architecture (if they build them at all), and
- people think “risk assessment” is a dirty word, relegated solely to specialized teams, and who, in most cases aren’t “them.”
Now, maybe you don’t think this is a bad thing, and that’s ok. Everything’s a process, and, assuming you’re around long enough, you’ll get there too—or maybe you’ll decided you’d rather focus more on breaking things. It’s fine. We need people to do that too.
But, if you want to learn about the different ways risk assessment appears when you’re developing SABSA security architectures, that’s what I’m going to cover in the May print edition of the Security Sanity™ newsletter. It might not be physically delivered on time given the global logistics challenges, but you’ll still be given special access to it if required so you’re not waiting around forever to get your hands on the printed page.
The thing is, you’ll only get this issue if you’re subscribed by the deadline at the end of the month—just 8 days from now. And, unlike some of the other things I do, the price of this one is probably less than you’d ordinarily spend on your daily caffeine intake, so it’s not likely to break the bank.
To subscribe, just visit this link:
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
