Editor’s note: In A Circular Problem in Current Information Security Principles, we highlighted one of the challenges in our knowledge domain that contributes to the ineffectiveness of today’s information security practices. In this third installment, we review the issues and dilemmas that are common in our practice environment.

One of the challenges information security management teams face is justifying their value proposition to the business to ensure that security requirements receive adequate resource allocations. The paradox here is that if security management within an organization is effective, the results typically show no observable outcome (i.e., no security incident). Interestingly, even if a security incident is not present, it does not necessarily mean that good security management practices are in place. They might be missing because of a security detection mechanism flaw, or simply because the attacker has no interest in carrying out an attack during that time period.

On the other hand, when a security breach occurs, the security manager is often questioned for failure to anticipate and prevent the incident. Security managers therefore often fall back on past or external incidents as a form of justification. Business managers frown on these explanations because they normally do not believe they are no better than their peers or competitors in the industry.

In organizations such as financial institutions and healthcare providers, information security falls under specific laws and regulations. Financial institutions manage information security risks as part of their overall operational risk management practice. Failure to implement or enforce appropriate security controls becomes a compliance issue. This, in a way, helps drive the adoption of information security policies, saving information security managers time and effort in convincing senior and line management about the need for information security practices within their organizations.

In more mature financial institutions, the operational risk management framework requires firms to allocate and set aside resources for unplanned operational risk exposures. Individual departments therefore have a strong incentive to enhance their own operational risk management practices to reduce risk exposure and lower the capital provision to the lowest possible level to extend the use of their budgets for other business purposes. Annual audit ratings are a metric used in quantifying risk exposure and in determining the operational risk capital provision. These include information security risk exposures.

Most risk professionals could easily mistake this model as an ideal, practical approach because there is a “carrot and stick” effect directly associated with good and poor information security practices. In addition, there is no need to rely on security incidents to justify security investments. In practice, however, such a compliance-driven approach has many challenges.

For example, security management and staff at times prefer to direct their focus on audit rating metrics rather than the underlying risk issues. Considerable time is spent preparing for an audit before it occurs so that only “low risk” issues are exposed to auditors; other issues are not easily found or addressed. Security policy becomes the ultimate arbitrator for resolving differences in opinion between these groups on whether a security gap exists or not.

This gives a perception that regardless of how the environment has changed the policy remains abreast of the risk situations, which is often not the case. Security managers become “pre-auditors” and gravitate toward identifying issues from the auditors’ perspective in order to assist the business in gaining compliance and obtaining security investment support from the auditors. In reality, when the audit rating is positive, management stops focusing on security, since their operating budget has been secured. On the other hand, operating budgets experience further reductions when the business gets a poor audit rating, giving them fewer available resources to spend on security overall, including their most critical underlying security issues.

As an organization gains an increased understanding of its security issues, coupled with the maturity of its risk governance activities through the use of security metrics tools, more resources can be directed toward closing security gaps across the organization’s infrastructure, processes, and applications. However, such efforts can only address “known” security issues. As each issue is prioritized based on risk assessment and resource availability, not every security issue will be closed in a timely manner. Consequently, organizations are vulnerable to ongoing attacks from perpetrators looking to exploit open security weaknesses or weak links. Furthermore, even when a security weakness is a known target for exploitation—and prioritized for closure—the organization’s change management process may not be agile enough to modify the systems’ configurations to stop the attack.

For example, many organizations were directly affected by the release of the SQL Slammer worm in 2003. The worm exploited a system vulnerability that had a patch released in July 2002, five months before the incident occurred. In the organization where I conducted research for my book, Responsive Security, the security team detected the emerging attack a day before, and notified the IT team to block the related services on its Internet gateway. However, despite these actions, the IT team was unable to make all of the necessary changes in time to prevent the attack.

Today’s network worms and malware continue to exploit “published” vulnerabilities with existing patches along with Zero Day vulnerabilities where even the vendor is unaware of their existence until the incident is reported. According to a recent research conducted by the University of Maryland, an average Zero Day attack lasts approximately 10 months. Patch management remains a security gap issue for many organizations awaiting resources and prioritization.

Ironically, most organizations have a security incident response function in place, but their role is often limited to incident handling and investigation. They react to incidents, but they are not nimble enough to respond or align to this evolving risk situation as the environment changes.

These are a few of the issues and dilemmas observed in today’s business environment that significantly affect information security management. The lack of an effective security value justification—combined with a traditional approach of defensive risk management focused on applying security controls to prevent known attacks—will continue to fail us and cause only reactionary responses from organizations.

Furthermore, organizational groups providing incident response, business continuity and disaster recovery services, and emergency response will continue to operate in silos based on traditional boundaries between physical and logical systems. Interdependency is needed to thwart security incidents today and in the future. Current practices call for new thinking to address the challenges of managing information security. With more outsourcing of IT services, and the migration of infrastructure, platforms, and applications to cloud-based environments, and the speed of propagation of an error or exploit, the chain of control toward closing security gaps has increased significantly.

Our ability to respond and realign our critical systems and people to the constantly changing security situation is becoming more challenging than ever.


Dumitras, T. 2014. “Empirical Study of Zero-Day Attacks.” Available online at: http://www.umiacs.umd.edu/~tdumitra/blog/old/empirical-study-of-zero-day-attacks/

Part 1: Understanding and Addressing the Challenges of Managing Information Security – A More Responsive Security Approach

Part 2: A Circular Problem in Current Information Security Principles


Meng-Chow Kang, PhD, CISSP, CISA

Director and CISO

APJC region, Cisco Systems, Inc