A "perfect" risk assessment isn't the goal.
Several years ago I wrote about working with a client to help develop a formal risk assessment process for their organization. What they figured out is that even without a formal process or training, they’d been doing risk assessments informally for a long time — it’s just how security professionals are wired.
Once they had that realization, rather than worry about the difficulty of developing a formal process or making it perfect, they began to focus on the initiatives that would need to be evaluated once their process was in place.
Risk Assessments are More Than Compliance
Today, a lot of what’s happening in the security world is driven by compliance. Companies often feel like they have to play catch up because an auditor or government agency says they have to safeguard a certain type of data, and they, therefore, spend most of their security program efforts on attaining and demonstrating a compliance status.
While compliance with security mandates is important, the real objective of a risk assessment is to help management make well-informed decisions about security safeguards that should be in place in the organization.
Risk Assessment Best Practices
The reality is that there’s no such thing as a perfect assessment to identify and measure every possible risk – if you wait for a perfect assessment before acting, risks will go unaddressed for a long time. But there are some best practices that most organizations should think about, regardless of their particular industry or compliance requirements.
Know that doing some kind of risk assessment is better than doing nothing. To prioritize risks, focus on the likelihood of a particular threat happening and then look at the possible impact of that threat to the organization. To put risk assessment in mathematical terms, likelihood x impact = risk. Once you have done this for each of the threats that you are evaluating, what you and other members of your management team decide are the highest risks should be the items that get the most attention soonest.
You need to measure these risks in a regular, repeatable way over time. You shouldn’t use one approach for measuring risks one time and then a totally different approach the next time, or you won’t get an accurate understanding of risks, and you won’t be able to compare them over a period of time to determine the progress the organization has made.
Use a consistent risk assessment process as well as a consistent risk rating system each time you do an assessment. Having that consistency of what you’re measuring and how you are measuring it will arm you with the information you need to help guide your organization. And after all, at the end of the day, that’s the most important thing you can do as a security professional – help your management team make well-informed decisions about security risks.
- You can anticipate changes in the risk areas and compliance requirements that may affect your organization before they happen. A great way to do this is to get plugged into a local or national trade association in your industry. You’ll hear chatter about changes that are coming, and you can factor that into your own organization’s considerations and plans.
The same goes for industry publications. Often, the writers will be plugged into what’s happening and be publicizing any changes long before they occur – after all, breaking news is one of the key objectives of those in the media.
Another great way to get informed is to attend conferences and events. These forums allow you to interact directly with the people involved with bringing about any changes in your industry, and they are typically the place where such new initiatives are first announced. They also offer a good opportunity to discuss those changes with colleagues in a relaxed atmosphere.
Risk Assessments Should Provide Value
One very important thing to remember regarding security risks is that they are rarely the most important issue facing your organization. Often, I encounter security professionals that forget that security risks are not all that the executive team is thinking about or accountable for.
There are other business-related factors in the organization that you may not know about that could play a role in determining the true risk of security weaknesses and whether your recommendations are implemented. Put things in perspective as best you can, and, once you’ve presented the security risks to your peers on the leadership team, rest easy. As long as you are providing quality information–and not just regurgitating geeky technical data to non-technical people who may not understand it–you’ll continue to provide significant value to the organization. Learn more about how our team at LBMC Information Security can help your team armor up with a wide range of network defense services. Contact us today!
Mark Burnette is a partner in the Information Security practice at LBMC, a premiere Tennessee-based professional services firm. Contact Mark at firstname.lastname@example.org or 615-309-2447.