How to have real risk management

Our coverage of the annual Global Information Security Survey conducted by CSO and CIO magazines in partnership with PwC has sparked some interesting discussions about what it takes to be a security leader. Specifically, the discussion is about how organizations can move from being a security laggard to something better. As part of those discussions, we spoke with Andy Ellis, chief security officer at Akamai Technologies. Ellis is responsible for overseeing the security architecture and compliance of the company's globally distributed network and sets the strategic direction of its security.

CSO: What attributes must an enterprise leader in risk management have?Ellis: This is a hard thing to measure. I think the important thing is that the organization actually understands the risks that apply to them, and that they are making intelligent decisions based on that risk profile. These are the organizations that are actually out front, leading the way, defining new risk models for themselves and selecting technologies and solutions that are appropriate for their business. It's about paving the way, not following somebody else's cookie cutter.

Companies seem to be spending a lot on security products, but not as much on strategic efforts. Do you think it's indicative of their already having effective strategies in place? Or, are they focusing just on the technology?In a down economy, you probably aren't spending time revamping your strategy. Hopefully, you're executing. That would be my guess as to what a lot of these organizations are doing. I think what you could be seeing is organizations saying "Look, I'm not going to try and rebuild my business continuity plan this year. It's not like we actually added a thousand people. I can run with the existing plan. It's much more important. Let's go execute on the strategy that we didn't finish from last year." I think industry often spends more time thinking about strategy and less time executing. That's what we're seeing in the survey results: "Hey, let's protect our jobs by going and executing on what people can see." Many times enterprises can see a strategic change in security, and if management can't see it, it may not have much perceived value.

A lot of companies seem to be skimping on disaster recovery and business continuity planning. Do you think there's a reason for this beyond it not being a priority, or organizations believing bad things won't happen to them?You have to look at it individually. For many businesses, that's a risk they have to take. I recall, after 9/11, there was an investment company that was praised for their business continuity plan. It was one of the investment companies that had been in the World Trade Center, and everybody was holding them up as this example of great business continuity planning. They had a good plan in place and they kept their business running after the attack. Three years later, the company was out of business. The reason was -- at the end of the day -- they didn't actually have a business continuity plan that dealt with how to keep the business successful after losing so many skilled knowledge workers. The point is that there are some events that are not worth planning for. And some companies, because of where they are at in their development cycle or whatever, can't afford to put a disaster recovery plan in place.

How should companies decide what can be planed for, and what can't?Not everything is in our control. So one of the important things to focus on is how will the organization run its incident response after the event? That this the most important thing to make sure an organization has in place. How will management be in touch, how will decisions be made? As long as an organization has incident response in place, it can survive almost any disaster. And that's what I think businesses ought to focus on -- but many don't consider that business continuity or disaster planning.

One of the things we've seen in this year's survey is that companies don't seem to have trouble getting budget to buy products and technologies, even if their security budgets are relatively flat year over year.There's rarely a problem getting security people interested in buying things that will help them generate reports. It's very easy for people to justify a budget spend if they can show a pretty report. It's something we'll occasionally run into with customers. We're defending them against denial-of-service attacks and they'll ask for reports for all of the low level denial-of-service attacks that we blocked. We will ask why, because they are attacks that are simple to block. They'll literally say: "That's what we use to show how many attacks we've blocked. That's how we justify our budget."

Read more about security leadership in CSOonline's Security Leadership section.

Join the CSO newsletter!

Error: Please check your email address.

Tags firewallsGeorge V. HulmeGISSsecurity spendingrisk managementsecurity strategyCSOSecurity Leadershipbusiness managementnetwork securityGlobal Information Security Surveysecurity

More about Akamai TechnologiesAkamai TechnologiesetworkPricewaterhouseCoopers

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts