This week the Internet blew up based on news that Intel officials briefed President Obama and Donald Trump on the possibility that Russia had information on Donald Trump that was damaging to him personally and might even have implications for the entire US government. (And while one never expects a hashtag like #goldenshowers to trend on twitter, the feed was hilarious.)
Politics aside, this story is a textbook case of problems with being proactive with threats. Notice: I wrote “threats” not “events” or “incidents” because the incident hasn’t happened yet, there’s just a high potential for it to be true and for it to happen.
You get lots of finger pointing in hindsight. The common question is “what did you know, and when did you know it?” Because, after something bad happens, anyone who knew of the potential for the event comes under fire for not saying something sooner, not being more forceful if in fact they HAD said something, and for not doing something to stop it from happening. The fact is something happened and someone has to somehow get blamed.
And in the Trump intel story, you see the opposite of that, with everyone retreating to respective political corners, defending or dismissing the intel reports based on emotion and personal perspective. And since now that everyone’s already picking sides, it will be that much harder to make the right decision on how to treat the threat risk. So, how do you ask the right questions and take action in time to avoid the impending threat?
Here are the questions predictive security and risk management brings:
- When do you flag a threat to executives? It’s important to have a policy in advance so there isn’t confusion later. It could be something like “a risk has been increasing steadily for the past 3 months” to “a risk increased very quickly in a short period” or similar idea. When you raise the flag may have a drastic impact on which actions you take to address the treat, since risks are often time sensitive.
- How much do you tell them? Even if you’ve decided to tell executives, you must decide how much information to give. Too much detail and you may panic them unnecessarily, too little and they may not appreciate the implications of the threat. This question is usually harder to answer than the first one.
- What do executives need to DO because of the rising risk? Another tricky area, what do you propose be done about the threat? Wait it out and seek more confirmation? Deal with it proactively, even if there’s potential for the threat to not happen? Take interim steps? This is the most important question to be answered when talking about predictive security management.
Focus Predictive Security On Remediation Not Reporting
We don’t know what advice the intel team gave to the government leaders, but we do know there are a few general ways you can deal with a threat or risk:
- Accept the risk and go on with what you were doing. Sometimes there’s not much that can be done – or worth doing. For example, there could be a heightened risk of a terrorist attack, but you don’t want to be seen to be weak and encourage them further and choose to ignore it, safe in the knowledge airport security is already prepared for such a threat.
- Try to remove or reduce the risk. In a political context, it might involve finding the people who are informants and stopping their ability to keep helping the other government. In a corporate setting, it might involve cutting a contract with a supplier you think has illegal dealings, for example.
- Make a strategic bet to increase the risk. In a political context like yesterday’s story, increasing a risk strategically could involve cutting diplomatic ties, mobilizing troops or invoking sanctions, among others (these increase risk because they may cause the original threat actor to escalate further or move more quickly with the original threat.) In a corporate context, an example would be to work with a startup vendor even though you know it’s a highly risky supplier because that vendor has some amazing new technology that you want to use.
Unfortunately, if you didn’t have a remediation plan in place BEFORE the risk became likely, you’re facing much more confusion about what to do and even whether to do anything at all. This puts your company at risk and in fact, negates the value of having predictive security capabilities.
Bottom Line: Security professionals need predictive security management and prescriptive treatment plans to protect their firms from looming threats.
Security teams need clear treatment plans that address potential risks and how to mitigate them. As a simple example, if there is a threat of insiders giving information to third parties, then the remediation plan would involve something like “when someone downloads more than one file they don’t normally access, that person’s manager must ask why the person needed those files within 4 hours of the download.” Without this proactive treatment planning, companies likely do nothing and then get harmed even by risks they could have addressed.
Posted in : Security and Risk
