A “perfect” risk assessment isn’t the goal.

Several years ago I worked with a client to help develop a formal risk assessment process for their organization. This client has a very knowledgeable and capable security department, and they were ready to formalize a process for risk assessment and start rolling it out across the company. They were a little ashamed that it has taken them until now to create such a process, and as we talked through how the risk assessment process would work, they swallowed hard and indicated that it seemed to be a very daunting undertaking.

What they figured out is that even without a formal process or training, they’d been doing risk assessments informally for a long time. Formal methodology or not, security professionals can’t help thinking about risks – it’s how we’re wired. The client then became less concerned about how difficult it would be to conduct a risk assessment and started making a list of the initiatives that would need to be evaluated once their process was ready to go.

Security is all about managing risks.

I was a CISO for many years for two different publicly traded companies, and during that time, I came to realize that my job was to advise and educate the senior executive team at my employers about the risks facing the business so that they could make well-informed decisions.

I often went into the boardroom with my risk summary and recommendation ready to go, and regardless of whether or not the C-levels chose to execute on my recommendation if I felt like they understood the risks of the initiative, I was satisfied that I had done my job.

There are always factors and external business influences that security professionals may not be not aware of that an executive must also consider when making a risk decision.

Security leaders, do your risk homework.

Have a formal process for identifying and evaluating risks to your organization. As initiatives arise and the IT environment changes, assess the risks and seek ways to publicize those to your company executives. While you should always be prepared to provide a recommendation, be sensitive to the fact that the executives may not always choose your desired outcome.

If that happens, accept the decision and then take steps to manage the risk in the best way you can. Avoid saying no or running interference on every initiative (and don’t assess everything as a “High” risk) or you won’t be invited back to the table, and you’ll find out about important changes too late to influence their outcome.

Risks are an inevitable part of the business. As security professionals, we owe it to our organizations to stay on top of them and guide the company to an outcome that is consistent with the company’s business objectives and risk tolerance.

Risk Assessments are More Than Compliance

Today, a lot of what’s happening in the security world is driven by compliance. Companies often feel like they have to play catch up because an auditor or government agency says they have to safeguard a certain type of data, and they, therefore, spend most of their security program efforts on attaining and demonstrating a compliance status.

While compliance with security mandates is important, the real objective of a risk assessment is to help management make well-informed decisions about security safeguards that should be in place in the organization.

Risk Assessment Best Practices

The reality is that there’s no such thing as a perfect assessment to identify and measure every possible risk – if you wait for a perfect assessment before acting, risks will go unaddressed for a long time. But there are some best practices that most organizations should think about, regardless of their particular industry or compliance requirements.

    1. Know that doing some kind of risk assessment is better than doing nothing. To prioritize risks, focus on the likelihood of a particular threat happening and then look at the possible impact of that threat to the organization. To put risk assessment in mathematical terms, likelihood x impact = risk. Once you have done this for each of the threats that you are evaluating, what you and other members of your management team decide are the highest risks should be the items that get the most attention soonest.
    2. You need to measure these risks in a regular, repeatable way over time. You shouldn’t use one approach for measuring risks one time and then a totally different approach the next time, or you won’t get an accurate understanding of risks, and you won’t be able to compare them over a period of time to determine the progress the organization has made.Use a consistent risk assessment process as well as a consistent risk rating system each time you do an assessment. Having that consistency of what you’re measuring and how you are measuring it will arm you with the information you need to help guide your organization. And after all, at the end of the day, that’s the most important thing you can do as a security professional – help your management team make well-informed decisions about security risks.
    3. You can anticipate changes in the risk areas and compliance requirements that may affect your organization before they happen. A great way to do this is to get plugged into a local or national trade association in your industry. You’ll hear chatter about changes that are coming, and you can factor that into your own organization’s considerations and plans.The same goes for industry publications. Often, the writers will be plugged into what’s happening and be publicizing any changes long before they occur – after all, breaking news is one of the key objectives of those in the media.Another great way to get informed is to attend conferences and events. These forums allow you to interact directly with the people involved with bringing about any changes in your industry, and they are typically the place where such new initiatives are first announced. They also offer a good opportunity to discuss those changes with colleagues in a relaxed atmosphere.

Risk Assessments Should Provide Value

One very important thing to remember regarding security risks is that they are rarely the most important issue facing your organization. Often, I encounter security professionals that forget that security risks are not all that the executive team is thinking about or accountable for.

There are other business-related factors in the organization that you may not know about that could play a role in determining the true risk of security weaknesses and whether your recommendations are implemented. Put things in perspective as best you can, and, once you’ve presented the security risks to your peers on the leadership team, rest easy. As long as you are providing quality information–and not just regurgitating geeky technical data to non-technical people who may not understand it–you’ll continue to provide significant value to the organization.

Learn more about how our team at LBMC Information Security can help your team armor up with a wide range of network defense services. Contact us today!