Business risk for security engineers

There are these two young fish swimming along and they happen to meet an older fish swimming the other way who nods at them and says “morning boys, hows the water?”

And the two young fish swim on for a bit and eventually one of them looks over at the other and goes, “what the hell is water?”

David Foster Wallace, 2005

In security, risk is that stuff all around us whether we realize it or not. This article is my take on how businesses think about risk and how that affects our domain of information security.

On day 1 hour 1 of my first security job I mainly cared how gnarly a given security bug I found was. The more complex and dangerous the better. On a good day I might have considered how the bug would affect the larger application I was auditing but not much beyond that.

In time my perspective broadened and I recognized that the root cause of insecurity is both technical and organizational.

We must ask what the engineering organization that built the software is optimizing for? Features, performance, cheap engineering talent, comprehensibility, security, are all competing concerns. Which prevails? The company that houses the engineering organization decides that. And the company makes makes those decisions based off what it sees as risks and opportunities.

So lets explore how and why companies make these business risk decisions.

CEOs think of our security work as risk management.

From the perspective of a CEO your company faces many simultaneous risks — A fire in a manufacturing plant, a supplier going out of business, a boycott of your product or your mail spool being put on the internet must all be considered. Every risk carries a probability of happening and impact to the company.

CEOs have the difficult job of judging and prioritizing these risks, often with imperfect information. High-impact risks are called “risk factors” and are disclosed by public companies in their 10-K reports. Reading them as a security engineer illuminates what the company is most worried about, it is essentially a map.

Here is what Target reported after their breach in 2013

The data breach we experienced in 2013 has resulted in government inquiries and private litigation, and if our efforts to protect the security of information about our guests and team members are unsuccessful, future issues may result in additional costly government enforcement actions and private litigation and our sales and reputation could suffer.

Here are some of Facebooks:

Security breaches and improper access to or disclosure of our data or user data, or other hacking and phishing attacks on our systems, could harm our reputation and adversely affect our business.

Pretty straightforward. Most 10-ks you have to read between the lines. What else is in here…

If we are not able to maintain and enhance our brand…our business and financial results may be harmed.

Our business is subject to complex and evolving U.S. and foreign laws and regulations regarding privacy, data protection…otherwise harm our business.

Our products and internal systems rely on software that is highly technical, and if it contains undetected errors or vulnerabilities, our business could be adversely affected.

We can take Facebooks risks point by point and see why they need top notch security, comms and legal teams working on these issues.

Or look at this one:

The size of our user base and our users’ level of engagement are critical to our success.

This realization about the business shows why Facebook has the worlds best team at limiting spam and keeping users from being mean to one another. Users wont stick around when they have a miserable time.

Looking at Snaps S-1 filing

Our products are highly technical and…may contain undetected software bugs, security vulnerabilities…Spectacles, as an eyewear product, is regulated by the U.S. Food and Drug Administration, or the FDA, and may malfunction in a way that physically harms a user.

A security flaw that blinds someone is a bad thing.

If our security is compromised … our users, advertisers, and partners may cut back on or stop using our products and services altogether, which could seriously harm our business.

Getting hacked: also bad.

From these 10-Ks we get a clear sense of the high-level business risks. Such risks can define both how we prioritize and tell the story of our work on the security team.

Companies are all different and thus their individual risks are all different as well. Lets think through the infosec risks of three theoretical businesses

SockCo. They sell socks online. Pretty standard company. Makes money from the 10% margin of buying socks wholesale and selling them online.

SockBook. A social network for sock lovers. Makes money from advertisers paying to show users ads as they talk about socks.

MtSox. An online cryptocurrency exchange. Makes a profit whenever trades happen and takes a cut. Holds the sockCoins on behalf of others like a bank.

The risk profiles of these companies are quite different.

SockCo risk profile — SockCo worries about consumer sock sentiment, fewer people buying socks, keeping good connections with sock factories, differentiating themselves from other sources of socks via unique design, cost, bad press harming sales, etc.

The infosec-related risks here are: That someone DoSses their website. That a bug in code harms the ability to order. That someone is phished and their corporate network is taken over for ransom. That credit card fraud levels rise to harmful levels.

SockCo getting hacked would be a bad day but it would probably not kill the company. Their 10-Ks risk factors would reflect this.

Sockbook risk profile — Sockbooks revenue is directly tied to the engagement of its users. So SB must not only protect itself as a business from infosec risk but it must engender a place users want to spend time, which means it protects user experience, no spam, no graphic images and nothing that would drive people away.

Sockbook getting hacked would also probably not end the company as it enjoys the network effect. This effect is an attribute of the business but shapes how to evaluate the risk of technical security issues. Spam and abuse become first-class problems in ways they wouldn’t be at another company.

MtSox risk profile — mtSox must care a lot about information security as it holds the precious sockCoins on behalf of its users. One security flaw allows sockCoin theft and the entire company sinks.

This is the very rare case of the venn diagram of “infosec risk” and “business risk” overlapping 100%. Credit to Ryan for observation. See his Blockchain graveyard for examples of bitcoin companies blowing up as the result of a security issue.

So every company in the world has its own unique risk profile. Even within companies different sections are more or less risky, its bad if someone hacks my gmail account but much worse if they control the autonomous car that is driving me.

Understanding business risk lets you make better local security decisions and tie your work to the larger risks of the business.

Different companies have different risks and tolerances for those risks. Infosec risk is one among many.

Risk can be ignored, transferred, reduced (mitigated) or eliminated (remediate). The correct answer to risk is not always to eliminate it and it is our job to know the appropriate action given the many variables.

The advice to the me of a decade ago is to set down vi, nmap and IDA for a moment to read a 10-k because to make the best tradeoffs when evaluating security we must understand vastly more than just security.

References

  1. Dan Geer recognized all this and explained it. In 2002. Of course.