One of the things I haven’t talked too much about over the last year or so I’ve been writing these emails is risk assessments. Hopefully, just because I haven’t talked about them much hasn’t led you to believe I don’t think they’re important.
And, they’re firmly at the heart of the whole SABSA methodology, because you can’t deliver business-driven, risk-proportional security solutions without, well…understanding what the definition of “risk proportional” actually is.
Unfortunately, what I’ve generally found when working with people in their security programs – with or without SABSA as part of the mix – is how poorly understood, and, indeed, how poorly connected the concept of risk and risk management is for a lot of security programs.
At best, you kinda get a, “We have a team for that,” or, you might get people who have jumped into the Threat Modeling community with gusto, STRIDE-ing around the place with their misuse cases, card games and doing their best to identify all the threats they find, prioritize them, and mitigate them as best they can.
We’ll get to the TM issues later over the next few days, but right now, I want to come back to one of the biggest misconceptions I’ve ever seen about SABSA, which, since the whole Archistry Execution Framework™ and The Agile Security System™ are fundamentally either based on SABSA or about how you apply SABSA in practice, depending on how you see them, it means it applies to them as well.
That misconception is that for all SABSA’s talk about risk, it doesn’t include an approach for actually conducting a risk assessment, so you have to call out to some external method in order to perform the mechanics that tell you anything useful about what “risk proportional” is going to mean.
Um…thank you for playing, but…wrong answer.
If you remember in either Foundation or A1, there’s a slide that shows you the Architecture Framework’s primary matrix, a.k.a., “the Architecture Matrix”, and it’s shaded in 6 different colors to identify the “things” you’re actually doing when you create all of the artifacts and elements referenced in it.
Now, I know I dog the matrix pretty hard most of the time, and that’s true. But I never said it wasn’t useful. All I said was that it wasn’t the entirety of SABSA that people tend to think it is.
What the matrix is really for is finally revealed with this slide. If you only have the book, you’re a bit SOL because it’s not in there in graphical form, though the content is covered in the text. However, if you have either the Foundation F1 materials or the A1 materials, then you at least have the breakdown. In F1, it’s in the Time section (slide 278 or 302 in the 2 versions I used when I taught it), and in A1, it’s right at the beginning of Section 1 (slide 30 for me).
The breakdown of what you get if you follow the method is:
- The assets at risk,
- The risks themselves,
- The factors affecting risk,
- Your control and enablement targets,
- Your risk treatment solution blueprint, and
- The overall risk management process that ensure’s they’re all connected.
Now, if that doesn’t equate to your definition of a risk assessment – at least on some level – then, friend, we need to have a serious talk.
Which is why that the upcoming May issue of Archistry’s paid, print Security Sanity™ newsletter is going to peek under the covers of how risk assessment fits in to the overall creation, implementation and operation of the security architecture underpinning the effective security program.
If you attended my 2018 COSAC presentation, you may remember I had some things to say on the topic, so you might’ve already seen some of what I’m going to cover—however, I’m not really sure, because I only have the slides, and almost 2 years later, I have no idea what I actually said. That being the case, if you saw the talk and you’re not already a subscriber, you’ll need to make the call to see if it’s going to be worth it to see it in print vs. on the screen in 2018.
If you’d like to do a better job integrating risk into your (cyber) security program and just don’t know how – or you’re not happy with your current approach – then this one’s for you.
To subscribe before the issue deadline of the 30th of April, you’ll need to use this link:
Andrew S. Townley
Archistry Chief Executive