Let's face it. Information security risk assessments are boring.
The only reason most organisations endure risk assessment is to (a) comply to a regulatory requirement or (b) to get certified on a standard that requires you to have a risk assessment.
But, it does not have to be this way. Risk assessments can be very interesting and very useful, if done in the right way.
Here are 5 tips to get the most value out of them.
The simpler way of saying 'Define Risk Criteria' and 'Define Risk Appetite'
The objective here is simple.
Define the various terms you are going to use in risk management. For example, what do you mean when you say ‘impact’? Are you worried more about revenue losses, or are you worried more about reputation? Do you care more about regulatory impact, or do you care about customer perception?
Different people will mean different things when they say - “This will be a huge business impact!”
Go basic. Get everyone one a room and ask them - What do you mean by huge? What do you mean by impact? Well, you might even have to ask 'What do you mean by business?
The way we do this at Risk Quotient is to conduct a management workshop consisting of silent brainstorming ( a term we borrowed from Design Thinking). We gather the management in a room, hand them post-its, and ask them to write down the impact to the organisation in case of a security breach.
Everyone then writes down their version of ‘impact’ on the post-its and sticks them up on the wall. Our team helps in grouping various 'impacts' and arriving at the organisational definition of 'impact' - a definition that everyone agrees with.
The higher up in the management hierarchy the session attendees, the clearer the definition of impact.
Once the terms have been defined, it is time to put some numbers around them.
If, for example, your little brainstorming has come up with 'revenue impact' as a critical component during definition, your next step would be to define what ‘high’ revenue impact means.
Expects things will start to get a little complicated now... Is ‘high’ impact a business loss of a million dollars? Is it a business loss of 2 million dollars? Who would be able to give this information? An individual? Or a committee? The board of directors? - You see how things can start to spiral here?
While the above questions seem tough, revenue impacts are slightly easier to calculate. Be prepared to deal with quantification of other parameters - for example ‘reputation’.
What does a ‘high’ reputation loss mean?
The answer is not as difficult as you imagine. Most business heads will be able to tell you what they mean when they say reputation loss. Your task would be correctly capture these. For example - 'high reputation loss' could mean existing contracts getting cancelled!
In our experience, the management is rarely asked these questions. As a consequence the risk assessment exercise is largely on paper and not in sync with how the management thinks and acts. Not doing this exercise and not asking the right questions is the most common reason for failure of risk management processes in any organisation!
By the end of this exercise, your output should be something like this:
If you have reached this far, you are well on your way to make risk assessment a success in your organisation
Involve the business and support functions. Show them the definitions from the management workshop. Ask them for risks that meet these impacts.
With a common definition, you will be able to hold good discussions and identify the key risks. Your already defined methodology for assessing risks will be useful here.
When we do this exercise as a part of Risk Quotient’s consulting engagements, we conduct a training session for the business and function heads where we play our proprietary game.
The objective of this game is to get people to have a clear idea of the different terms involved in risk management and how to identify risks.
Any method of communication you adopt, the goal is to ensure that people know the organisation definition of risk and impact and assist you to identify risks. You can hold a joint training session, or you can explain the different terms individually. In the end, if people are aware of the definitions and provide you with relevant risks, your job is done.
Risk assessments fail because the end result is a gigantic excel sheet that has enough rows and columns to put an average person to sleep.
Not only are these excel sheet gigantic, they tend to be repetitive across departments. 'Virus Attack' would be listed as a risk for the legal department! It is these things that you need to straighten.
Your risk methodology should centralise these types of risks to wherever the control is applied from, so that is does not repeat in sheet after sheet. In this case, the IT department issues desktops and laptops and is responsible for the anti virus. The risk of virus attacks therefore appears just once in the IT department only.
Here, follow the software development paradigm - if you have to write the same risk twice, your risk methodology is not good.
Group risks wherever possible. For example, risks of data theft due to unauthorised access to shared folders, in all likelihood, would be across the organisation. The controls you would apply are similar across all departments - access rights review and updates. Group these together and track them as a single control item. It reduces 'excelitis' - the fatigue caused by extra long excel sheets. (don't look this up in a dictionary... its a fictional word)
When we do this for our clients, we go through an extensive exercise of talking to all stakeholders, but our software takes care of the grouping and segregation to highlight organisation wide risks. Recently, we did a risk assessment across 17 departments of an organisation and came up with 1 critical and 3 high risks, making it much simpler for the management to take decisions.
The most difficult of all tips. All risk assessment exercises will remain ‘point in time’ unless you are able to achieve this.
Encourage risk based thinking. If your IT team is moving from MS Exchange servers to O365 and discussing risks, get them put in the risk assessment tracker and discussed. If your business says they do not want to put data on the cloud because they consider it risky, ask them to do an assessment of the risks using the approach.
If risk based thinking is encouraged, risk assessment will no longer be an annual compliance exercise. It will be a constant and live endeavour. You will be able to quickly glance through the top risks in your organisation near real time. This is the holy grail of risk management - knowing organisation risks in real time and not just a once a year paper exercise.
It is possible, but it is hard.
As a security professional, if you focus on the above 5 steps, you should get closer to real time risk tracking…