Risky Business: Who decides?

At our recent DoIT all-hands meeting, it was mentioned that thanks to my blog it is possible to know what I’m thinking about. That has been true to some extent. As I reflected on that statement though, I realized that most of this blog has centered around facts and ways to secure your computing environment. I haven’t really used this platform to share my viewpoints or opinions. That is partially due to the fact that I am not, by nature, a blogger. This blog was my first venture into sharing information in such a public forum and I’m still trying to strike a balance between opaque and transparent. After all, discretion is the better part of valor, is it not? Mostly true, but lack of discretion has a time and place too. By the way, for some reason I hate the word blog. Blog Blog Blog.

riskgameWith over a year here on West Campus I thought today is a good day to break the self-imposed mold for this blog and talk about my thoughts on risk. No, not RISK the strategic board game. Risk as in “the potential of losing something of value.”

Did you know that risk has a formula? That’s right, my academic brethren. Here it goes: Risk = Threat x Vulnerability. Let that sink in for a minute. Read it again. Risk = Threat x Vulnerability. Which of those two factors can we control? The threat? Nope. We only have control only over the vulnerability aspects of that equation. Every organization has a risk posture. What is ours? What is yours? What needs to change?

What is our risk posture?

Before we talk about risk posture, we need to talk about risk tolerance. Some organizations are risk adverse and try to address every known vulnerability regardless of cost. Others tend to be more risk tolerant and allow certain inefficiencies to remain. Where do we sit on that spectrum as an organization? Well, most institutions of higher education tend to have relatively high risk tolerance. The extent of tolerance varies from institution to institution. Consistently, though, risk tolerance is decreasing across the board. The threat has changed. The world has changed. At Stony Brook our risk tolerance is decreasing in like manner. Is our tolerance decreasing as quickly as the threat is increasing? We need to move fast.

risktolerance

This blog is not the place to discuss our risk posture. Sorry to disappoint. I will say this, though. Our risk posture is strong in some areas and weak in others. That is true for all organizations. Then there are areas that have an unknown risk posture. Those worry me. There are too many of those.

What is your risk posture?

In other words, how are we doing as individuals in regards to assessing and managing risk. The sensitivity and tolerance to risk varies greatly. Let me give you a handful of character profiles found around campus and while you read it, try to honestly evaluate which one you relate to more.

  • A researcher who proactively reaches out to the CISO at the start of a research project to ensure that the practices they plan on following are adequate.
  • A researcher who is convinced that nobody in this world is interested in his/her research data and therefore security is not a concern.
  • An IT support professional who knows the owner of each system on their portion of the network and is quick to respond to security related incidents.
  • An IT support professional who provides support as requested, but otherwise allows faculty to manage their own equipment and therefore does not view security as part of their job description.
  • An IT admin who always takes into consideration security and can justify why every security adverse decision is made and employs compensating controls.
  • An IT admin who will always choose functionality and ease of use over security without giving any thought to risk.
  • A faculty member who wants to use their computer to accomplish a given task over the next few months.
  • A faculty member who wants admin rights on their computer so they can accomplish any task at any given time at some point in the future.

The list can go on and on, but those are some of the perspectives I’ve encountered on campus.  If reading this list put you on the defensive, ask yourself “Why?”

What needs to change? 

riskFor starters, we need to start thinking and talking about risk more often. The decisions we make must be made with both eyes wide open. Lack of thought has no place in higher education. In my opinion, this improvement will have the single greatest impact on the security of our organization. Coincidentally, our meeting with Information Systems today centered around this very topic. They are acutely aware of certain risks within their purview and they want to formalize a priority-based plan to address them. This the type of thinking that will keep Stony Brook safe.

We need to recognize who has the authority to accept risk in behalf of Stony Brook University, or wherever you happen to be employed. It’s probably not you or I. If a decision is being made that exposes Stony Brook to risk, make sure the right administrator is accepting that risk and is fully aware of the implications. It’s for your protection as much as it is for Stony Brook’s. I have observed that the higher you move up the chain of command, the less tolerance there is for risk. Let the decision makers do their job.

When there is conflict between security and preference or ease of use, we need to default secure. As it stands now, it is not uncommon to default less secure until an incident. That mentality needs to change. If a security related decision is going to impact the business flow or ease of use negatively, there needs to be a well informed decision made by the appropriate person. Don’t default less secure, default more secure until otherwise advised.

In the past, there was no reasonable way to collaborate safely. That is no longer true. Responsible collaboration is possible and practical. We have to be willing to jump through a hoop here or there to operate securely. Connecting to the VPN before accessing something is not unreasonable. Put the organization’s safety before your own convenience.

Finally, we need to work together. We need to disagree and discuss it intelligently. We need to yield when a reasonable argument is presented.

Overall, I am optimistic about our security posture and our security trajectory. Let’s make a concerted effort this year to think and talk about risk so our posture will continue to improve.

Thanks for reading and don’t forget to subscribe!