Business risk for security engineers

Collin Greene
May 2, 2017 · 6 min read

David Foster Wallace, 2005

In security, risk is that stuff all around us whether we realize it or not. This article is my take on how businesses think about risk and how that affects our domain of information security.

On day 1 hour 1 of my first security job I mainly cared how gnarly a given security bug I found was. The more complex and dangerous the better. On a good day I might have considered how the bug would affect the larger application I was auditing but not much beyond that.

In time my perspective broadened and I recognized that the root cause of insecurity is both technical and organizational.

We must ask what the engineering organization that built the software is optimizing for? Features, performance, cheap engineering talent, comprehensibility, security, are all competing concerns. Which prevails? The company that houses the engineering organization decides that. And the company makes makes those decisions based off what it sees as risks and opportunities.

So lets explore how and why companies make these business risk decisions.

Business risk

CEOs think of our security work as risk management.

From the perspective of a CEO your company faces many simultaneous risks — A fire in a manufacturing plant, a supplier going out of business, a boycott of your product or your mail spool being put on the internet must all be considered. Every risk carries a probability of happening and impact to the company.

CEOs have the difficult job of judging and prioritizing these risks, often with imperfect information. High-impact risks are called “risk factors” and are disclosed by public companies in their 10-K reports. Reading them as a security engineer illuminates what the company is most worried about, it is essentially a map.

Here is what Target reported after their breach in 2013

Here are some of Facebooks:

Pretty straightforward. Most 10-ks you have to read between the lines. What else is in here…

We can take Facebooks risks point by point and see why they need top notch security, comms and legal teams working on these issues.

Or look at this one:

This realization about the business shows why Facebook has the worlds best team at limiting spam and keeping users from being mean to one another. Users wont stick around when they have a miserable time.

Looking at Snaps S-1 filing

A security flaw that blinds someone is a bad thing.

Getting hacked: also bad.

From these 10-Ks we get a clear sense of the high-level business risks. Such risks can define both how we prioritize and tell the story of our work on the security team.

Example risk profiles

Companies are all different and thus their individual risks are all different as well. Lets think through the infosec risks of three theoretical businesses

SockCo. They sell socks online. Pretty standard company. Makes money from the 10% margin of buying socks wholesale and selling them online.

SockBook. A social network for sock lovers. Makes money from advertisers paying to show users ads as they talk about socks.

MtSox. An online cryptocurrency exchange. Makes a profit whenever trades happen and takes a cut. Holds the sockCoins on behalf of others like a bank.

The risk profiles of these companies are quite different.

SockCo risk profile — SockCo worries about consumer sock sentiment, fewer people buying socks, keeping good connections with sock factories, differentiating themselves from other sources of socks via unique design, cost, bad press harming sales, etc.

The infosec-related risks here are: That someone DoSses their website. That a bug in code harms the ability to order. That someone is phished and their corporate network is taken over for ransom. That credit card fraud levels rise to harmful levels.

SockCo getting hacked would be a bad day but it would probably not kill the company. Their 10-Ks risk factors would reflect this.

Sockbook risk profile — Sockbooks revenue is directly tied to the engagement of its users. So SB must not only protect itself as a business from infosec risk but it must engender a place users want to spend time, which means it protects user experience, no spam, no graphic images and nothing that would drive people away.

Sockbook getting hacked would also probably not end the company as it enjoys the network effect. This effect is an attribute of the business but shapes how to evaluate the risk of technical security issues. Spam and abuse become first-class problems in ways they wouldn’t be at another company.

MtSox risk profile — mtSox must care a lot about information security as it holds the precious sockCoins on behalf of its users. One security flaw allows sockCoin theft and the entire company sinks.

This is the very rare case of the venn diagram of “infosec risk” and “business risk” overlapping 100%. Credit to Ryan for observation. See his Blockchain graveyard for examples of bitcoin companies blowing up as the result of a security issue.

So every company in the world has its own unique risk profile. Even within companies different sections are more or less risky, its bad if someone hacks my gmail account but much worse if they control the autonomous car that is driving me.

Conclusion

Understanding business risk lets you make better local security decisions and tie your work to the larger risks of the business.

Different companies have different risks and tolerances for those risks. Infosec risk is one among many.

Risk can be ignored, transferred, reduced (mitigated) or eliminated (remediate). The correct answer to risk is not always to eliminate it and it is our job to know the appropriate action given the many variables.

The advice to the me of a decade ago is to set down vi, nmap and IDA for a moment to read a 10-k because to make the best tradeoffs when evaluating security we must understand vastly more than just security.

References

  1. Dan Geer recognized all this and explained it. In 2002. Of course.

Thanks to Ryan McGeehan and Sam Quigley

Collin Greene

Written by

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade