Until a little over two years ago, the government’s Security Policy Framework mandated the risk management process that HMG departments and agencies had to follow. Impact assessments had to be conducted this way - threat assessments had to be conducted that way. Unfortunately, this created a culture where compliance with mandatory risk management process became more important than really understanding (and thus effectively managing) risk. To make matters worse, security practitioners, now steeped in this process, had become adept in the application of the framework, rather than the true elicitation of risk.
So, it was not uncommon for decisions to be justified on the basis of accreditation, policy, or a protective marking, rather than on a sound understanding of technical security risks. This fundamental lack of understanding about risk meant that decisions were not really being made in the name of security, let alone business need.
Compliance with the risk management process should not become more important than a true understanding of risk.
However, to be fair to departments and agencies, they were only doing what they were told. After all, it was HMG policy and CESG standards that had created this culture. So the first thing that had to change was the Security Policy Framework itself, so that it no longer mandated a process to be followed. Instead it now defines the outcomes that are required; how departments and agencies decide to achieve these outcomes is entirely up to them.
Of course, departments and agencies are still expected to assess and manage the risks to their technology, and if they want to continue to follow IS1 & 2 then they are free to do so, provided they achieve the right outcomes. Equally, if departments and agencies want to use other risk methods or frameworks, they can do so, again provided they achieve the right outcomes. However, this is easier said than done when a security community has followed process for many years.
So CESG realised that in order to support the security community to achieve the right outcomes, we needed to empower departments and agencies. Firstly CESG needed to promote autonomy – it was necessary to make a clear statement about the future of IS1 & 2, which is why we took the decision to make it a legacy publication. Of course, autonomy alone can't empower people to achieve the right outcomes; this has to be supported by knowledge. This is why CESG has also published the following guidance to help the security community realise the right risk management outcomes:
These changes have been perceived by some as CESG taking capabilities away from the security community. In fact they have allowed for many more. Now, departments and agencies can use any risk method or framework which meet their needs, and importantly, they can start to better understand how to use them, to achieve the right outcomes. And this is only the beginning. Now that CESG and the security community have been freed from the mandatory application of IS1 & 2, we can concentrate on further developing our expertise through research and development activities.
We’ve already learnt that the security community needs far more than the current crop of risk methods and frameworks. Risk requires a range of complementary management capabilities to effectively support the security community; current methods and frameworks are only effective for situations where the dynamics of risk will lend themselves to analysis.
For example, where the dynamics of risk are complex with unanticipated system properties emerging (as a result of the interactions between technology, people, and organisations) the analytical approaches - which we are all accustomed to - start to breakdown and become ineffective. This is why we have recently published the paper ‘A Critical Appraisal of Risk Methods and Frameworks’, which helps the security community understand the limitations of existing risk methods and frameworks.
Let’s be clear, this does not mean that existing risk methods and frameworks cannot or should not be used, or that they are fundamentally ineffective. ‘A Critical Appraisal of Risk Methods and Frameworks’ has been produced to improve understanding amongst practitioners and decision makers, so that they are better able to work with the approaches they have chosen.
But this is really only a taster of the work we have undertaken. Over the next few years our aim is to develop many different research-backed risk management capabilities which our customers can take advantage of. This is the start of a fascinating change so watch this space!
Head of the Sociotechnical Security Group
CESG no longer maintain IS1 & 2. However, customers can still use it, should they wish.