By Steve Bigelow, Features Writer
The business of security risk analysis can be difficult for solution providers. Proper communication is critical for understanding the client's unique needs. The analysis process also imposes potential liability that providers must be careful to address. Recruiting and maintaining a capable analytical staff continues to present serious hurtles. Recommendations for remediation must be approached in accordance with suitable ethical standards.
The first part of this Hot Spot Tutorial introduces the basic concepts, threats and essential elements of a security risk analysis. The second installment highlights some popular risk assessment tools, outlines the major elements of a report and offers best practices for solution providers. This final installment addresses the business issues of security risk analysis, including challenges, liability, staffing and remediation ethics.
Challenges of security risk analysis
While solution providers face their share of technological hurtles and business problems, perhaps the most formidable challenge lies in communication between providers and their clients -- knowing which questions to ask and how to elicit an honest response that minimizes individual agendas and bias. For a solution provider, the skills needed to understand a client are often more important than the deepest analytical tool.
"That is a certain art that many IT people absolutely do not possess," said Andrew Plato, president of Anitian Enterprise Security, a security solution provider in Beaverton, Ore. "How do we get people together and get the information that we need out of them so that we can give a truly objective analysis of this organization?"
Solution providers also walk the fine line of politics and executive malaise or resistance within each of their clients' organizations. Nobody wants to risk losing their job as a result of security flaws being exposed by a risk analysis. The truth can be traumatic and painful. "Executives prefer fluff and they like this long-winded, philosophically complex, conceptualizing thought-leadership nonsense," Plato said. "Truth is scary to a lot of executives." Solution providers need to be sensitive and diplomatic when presenting results to clients.
Security professionals also face the continuous challenge of education. This includes staying abreast of security trends, emerging threats and regulatory changes within each vertical market. Solution providers often provide security risk analysis across any vertical, thereby multiplying knowledge requirements -- a problem that translates directly into staffing.
"You have to hire a midrange or senior-level staff because you want to provide a seasoned resource to a customer," said Allen Zuk, senior consultant with GlassHouse Technologies Inc., an independent IT infrastructure consulting and services firm in Framingham, Mass. Zuk noted that hires also need periodic training to keep critical skill sets current.
Liabilities in security risk analysis
Solution providers in the security industry also need to protect themselves from the inevitable liability that accompanies the process and aftermath of security risk analysis. For example, security risk analysis can potentially disrupt the client's normal business operations if an analyst makes a mistake or encounters an unexpected error when deploying or using a tool.
"There is inherent risk in performing a risk assessment," Plato said. "When you start running scans and poking at machines, they can often reveal things, or they can fall over dead and stop working. And that presents some huge risk."
Other liabilities include making improper recommendations. For example, suppose that testing reveals an error in the firewall configuration, but the recommendations you make to address the oversight open another vulnerability that is later exploited (or interferes with other applications, causing unexpected downtime). Such errors can potentially expose you to liability. This is an area where knowledge of current security practices is an absolute necessity.
Omissions are another treacherous area for solution providers -- your failure to follow best practices in testing, conduct an appropriate suite of tests, identify existing risks or make the appropriate corrective recommendations can expose you to liability if security incidents occur later on. Suppose you fail to detect a vulnerability that is later exploited by a hacker. This failure may expose you to liability if you did not test for the vulnerability, used an inappropriate tool for testing or did not report and make recommendations to correct the vulnerability.
Ultimately, solution providers address liability concerns through client education, careful contractual wording and comprehensive insurance coverage. Clients typically do not understand the potential risks involved in a security analysis, so the early stages of any analysis project should include a frank discussion of risks, and the client must accept that the risks -- however small -- cannot be reduced to zero. Risk, duties, acceptance of liabilities and avenues of recourse are often outlined formally in the engagement contract between a solution provider and client. Contract preparation should be handled by council versed in technology service matters along with thorough expertise in "errors and omissions" and other liability.
Finally, a solution provider should obtain and maintain significant errors and omissions insurance to address settlements or judgments as a consequence of security risk analysis activities. "That's one of our biggest costs -- the errors and omissions insurance," said Wade Wyant, managing partner at ITS Partners LLC, a Symantec consultancy in Grand Rapids, Mich.
Educational requirements for security risk analysis
Solution providers need to hire and maintain a professional staff which will then be assigned to conduct analysis testing, process the resulting data and make informed recommendations for remediation. Consequently, training and education are essential internal considerations that solution providers continuously grapple with.
There are no formal accreditations available for security risk analysis, but training in security concepts and audit practice should be prerequisites for analysts. For example, CISSP (Certified Information System Security Professional) certification covers security practices, and CISA (Certified Information Systems Auditor) certification denotes the knowledge of proper audit practices in the IT industry. "Any decent-sized security risk analysis project should have a person with one or both of those certifications," Plato said.
There are other credentials worth considering, such as SANS certifications in topics like Web exploit testing, Web application testing and ethical hacking. CISM (Certified Information Security Manager) certification provides a foundation in business issues that can help the analyst better understand client needs and goals. A business degree is often a perfect complement to the CISM.
Solution providers expanding their existing staff should look for experience in addition to formal certifications. Credentials demonstrate a minimum level of knowledge, but potential hires should also be able to outline a resume of successful engagements and articulate solutions to the major challenges they faced. Also look for candidates with an analytical mindset, who are able to process large amounts of complex information and formulate constructive recommendations for clients.
Pricing and additional business opportunities
The cost of a security risk analysis can vary dramatically based on the project's size and complexity. "Companies need to accept that the more complicated your environment -- the more intricate your systems are, the more risks you have, the more regulations you're subject to -- the more expensive it is to get an assessment," Plato said. Consequently, it's important to perform an initial inspection of the client's site and discuss the project in detail before submitting a proposal and cost estimates. The proposal should clearly denote what will (and won't) be included in the analysis.
Any security risk analysis should conclude with recommendations for remediation, but just how that remediation is handled remains a matter of debate among technical professionals. At an absolute minimum, the remediation of issues uncovered during a security risk analysis should be treated as a separate project, and a client should be under no obligation to engage the same solution provider for remediation. At the extreme, a solution provider should purposely excuse themselves from the remediation process.
"Technically, audit standards dictate that the organization or person who conducts an assessment or an audit on your organization should not be the same person who does any of the remediation work," Plato said. Although there are no legal restrictions that prohibit such action, performance can be a concern. Plato pointed out that solution providers skilled at integrating products are not necessarily skilled at auditing, and solution providers skilled at auditing are not necessarily skilled at IT work. There are many exceptions, but only solution providers with notable expertise in both areas should even attempt to compete for remediation work. "You really have to rewin the business at that point," he said.
Solution providers with a smaller focus on analysis are less encumbered by audit standards. Wyant noted that security analysis is just one more step that can be conducted for ITS Partners' client base, which normally engages the firm for device management. "That's why we're not a pure security auditing company," Wyant said. "We're a device management company first and foremost." Still, it's not uncommon for Wyant's customers to assign analysis or remediation tasks to different solution providers depending on the situation.