The Great Risk Management Debate

Arthur at Emergent Chaos joins in the argument Mark Rothman and Alex Hutton have been having on Risk Management.

As often happens trying to follow arguments on the blogosphere trying to work out who is arguing what is a bit like trying to find a bug in a large piece of code by looking at just the diff files.

I agree that Risk Management is a management task and needs to be separated from the task of managing devices. What I object to though is the assumption that management of a device is necessarily the task of a person.

Already the principle of Managed Security Services (MSS) is established as the way to run network security in medium to large sized enterprises. The risk manager sets the policy by considering the various business risks concerning the network. The policy is then enforced at the device level by the MSS team using a combination of manual and automated techniques.

The risk manager is thus interacting with their network at a much higher level of abstraction than Cheswick and Bellovin were working at two decades ago when they were chasing Berfd.

Another way to look at it is that Risk Management is not the same as Threat Control. Threat control is an objective process: we have a list of threats that are to be excluded, we apply controls to eliminate those threats (as far as is practicable). We can outsource Threat Control because it is objective.

Risk Management requires us to decide which threats are to be controlled and which are to be allowed. This is inevitably a subjective process because it involves the estimation of three sets of unknowable quantities, the value of the assets to be protected, the probability of loss, the cost of applying controls.

I don't see Alex, Mark or Arthur actually disagreeing on the principles here, I think that the reason they are engaged in their semantics debate is that they have one term and two distinct meanings.