Securing critical infrastructure: portfolio based approach

types of events, and which ones would drive greater consequences both from a business standpoint and from a homeland security stand point – in my mind, there is no other way to look at that than with a portfolio approach. In particular, you need a portfolio of assets that you can slice and dice by geography, critical infrastructure type, sectors, vulnerabilities, or by the ones that would produce the greatest consequences. You would also need to have a portfolio of threats with information on the likelihood of the different types of things to happen, but you also need to know the ones that may not be very likely but would have completely unacceptable consequences.

From those portfolios, and only from those portfolios, can you take a strategic risk management approach where you say, “This is where I am going to focus my priorities on, these threats I think are the most likely while these are the most likely to disrupt us, and these critical infrastructure and these key resources are most essential to maintaining the national economy, the national defense,” – or whatever your goal is.

HSNW: It seems that this portfolio is real time and shifting where it is constantly adjusting to the threats that are emerging on the horizon. Is such an approach feasible given that there are so many decentralized elements and a finite amount of resources? Is it realistic that companies can actually shift resources and focus in time to respond to these emerging threats?

BW: Yes it is. We already treat properties with this portfolio idea in the same way people treat their stocks, bonds, and investments. All of these are very portfolio driven because whenever you have too many things you have to go with that kind of approach.

Everything we advocate for is software driven, so as things change you are able to immediately update your risk. Outside of cyber, risk is not changing every minute like the stock market is. Instead what we see in practice is that assets do change – they take on new missions, buildings or operations may shut down and move to a new place, or a new security assessment is done that lends some additional insight into particular vulnerabilities and some additional counter-measures are put in place. The threat dynamic and the threat environment also change – new threats emerge and there are alerts and warnings.

It is practical without a lot