Most of us in the information security industry long ago recognized that we could not eliminate every risk and threat to our data and networks. Instead we have tried to manage that risk to acceptable levels, with acceptable being in the eye of the beholder. An entire information security risk management industry has sprung up over this time. But, have we missed the boat on risk? Has the risk management space been hijacked by the vulnerability management crowd?
We have settled on a formula for risk being:
Risk (R)= Threat (T) x Vulnerability (V)
But is that the correct formula to use? Are there other factors that need to be considered?
I am joined on this podcast by Jody Brazil, President of Firemon and Gary Fish, CEO of Firemon to discuss these questions in light of Firemon's new Risk Analyzer product.
Risk Analyzer offers a new way to look at risk using risk based scenarios. Introducing concepts such as reachability, exposure and asset value into the equation, it gives us a better measure of risk. Risk Analyzer also gives us another way of prioritizing different risks to make us more efficient.
As many of you know, I have been working with Firemon for a few months and have watched Risk Analyzer develop. The folks at Firemon have taken a great engine that was developed at the MIT Lincoln Labs and developed some great front end features to make this a complete product. I am very excited by what it offers and I think you will be too.
Have a listen as I discuss this with Jody and Gary.
Also be advised that there was a clicking in the recording (which we obviously didn't know about when we recorded this). I have done my best using my not very considerable sound engineering skills to remove it. It is still there, but it is the best I can do and I thought the quality of the conversation was much more important than the quality of the sound.