Years ago, I spoke with the risk management leader at a bank where I was consulting. This person was new in the role and was outlining plans for implementing an IT risk management program. The company's program was to be based on the NIST 800 series, which predates the creation of NIST Cybersecurity Framework, and they had worked out their own proprietary risk rating system based on the control catalog in SP 800-53. It was well thought out and the leader had some success in a previous role working with the same solution.
Ultimately, the risk ratings assigned as a result of this process came down to the personal opinion of the assessors. But the real trouble with this approach was that the security leader held the viewpoint that, eventually, the process would result in all of the controls in NIST SP 800-53 being implemented. As a result, the model they developed was designed to give good risk ratings when more controls were implemented and bad ratings when those controls were missing.
This person is not alone in the belief that more controls equal less risk. Far too many risk registers are truly just lists of broken or missing things. So sure are we in the belief that we need more security that we tend to believe that only perfection will do. Security conferences are rife with these axioms, such as "we need to get it right every time; hackers only need to get it right once." Such views are pessimistic and dissuade business leaders from taking the actions they need to properly secure themselves. Why should they bother if they can't get it perfect?
I often say that ..
Support the originator by clicking the read the rest link below.
