Risk assessments and risk management programs have become core competencies for the cybersecurity profession. A risk assessment is an evaluation of possible risks and an analysis of the likelihood and impact of reasonably anticipated threats. This assessment provides you with an understanding of what the possibilities are. You can use that information as guidance to properly allocate people and investments to address cyber risk.
Why Complete a Risk Assessment?
Identifying risks and, ultimately, working toward a risk management program allows your financial institution to make informed risk-based decisions. These decisions lead to smarter spending and position your financial institution to respond to threats in a programmatic manner.
Completing a risk assessment will:
- Identify possible risks in your financial institution
- Create a starting point for your risk management program
- Alert you to specific areas in which your employees should be trained
- Allow you to be proactive rather than reactive when it comes to possible risk outcomes
It’s important that you and your assessor maintain awareness of what risks and compliance obligations are applicable to your financial institution, even as changes occur; therefore, risk assessments should be completed on a consistent basis.
3 Reasons Risk Assessments Are Vital for Cybersecurity Pros
Why have risk assessments become a primary point of concern for cybersecurity professionals? Here are three reasons:
- It’s mandatory. If you work in information security, odds are pretty good that you have an obligation to assess risk. This is definitely true in the U.S. healthcare industry, where evaluation of risk is required by law. Several other industries such as legal, retail, and manufacturing have guidelines or requirements to evaluate risk periodically.
- It’s a best practice for our profession. Cybersecurity is a risk management problem, and to properly manage risk, you must first measure or assess it.
- It supports greater business objectives. Most business leaders understand risk and risk management far better than they understand technical controls or vulnerabilities—which is where far too many security professionals spend their time and energies.
Now that you have an understanding of the reasons risk assessments are important, let’s dive into the key terms.
Formal Processes for Risk Assessments
Several years ago I worked with a client to help develop a formal risk assessment process for their organization. This client has a very knowledgeable and capable security department, and they were ready to formalize a process for risk assessment and start rolling it out across the company. They were a little ashamed that it has taken them until now to create such a process, and as we talked through how the risk assessment process would work, they swallowed hard and indicated that it seemed to be a very daunting undertaking.
What they figured out is that even without a formal process or training, they’d been doing risk assessments informally for a long time. Formal methodology or not, security professionals can’t help thinking about risks – it’s how we’re wired. The client then became less concerned about how difficult it would be to conduct a risk assessment and started making a list of the initiatives that would need to be evaluated once their process was ready to go.
Security is all about managing risks.
I was a CISO for many years for two different publicly traded companies, and during that time, I came to realize that my job was to advise and educate the senior executive team at my employers about the risks facing the business so that they could make well-informed decisions.
I often went into the boardroom with my risk summary and recommendation ready to go, and regardless of whether or not the C-levels chose to execute on my recommendation if I felt like they understood the risks of the initiative, I was satisfied that I had done my job.
There are always factors and external business influences that security professionals may not be not aware of that an executive must also consider when making a risk decision.
Security leaders, do your risk homework.
Have a formal process for identifying and evaluating risks to your organization. As initiatives arise and the IT environment changes, assess the risks and seek ways to publicize those to your company executives. While you should always be prepared to provide a recommendation, be sensitive to the fact that the executives may not always choose your desired outcome.
If that happens, accept the decision and then take steps to manage the risk in the best way you can. Avoid saying no or running interference on every initiative (and don’t assess everything as a “High” risk) or you won’t be invited back to the table, and you’ll find out about important changes too late to influence their outcome.
Risks are an inevitable part of the business. As security professionals, we owe it to our organizations to stay on top of them and guide the company to an outcome that is consistent with the company’s business objectives and risk tolerance.
Risk Assessments are More Than Compliance
Today, a lot of what’s happening in the security world is driven by compliance. Companies often feel like they have to play catch up because an auditor or government agency says they have to safeguard a certain type of data, and they, therefore, spend most of their security program efforts on attaining and demonstrating a compliance status.
While compliance with security mandates is important, the real objective of a risk assessment is to help management make well-informed decisions about security safeguards that should be in place in the organization.
Risk Assessment vs. Risk Management
As a cybersecurity professional, it can be difficult to determine the difference between a risk assessment and your overall risk management program.
- Risk Assessment. Risk assessment is the determination of probable frequency and magnitude of future loss. In other words, how likely is it that certain bad things will happen and how bad might they be when they occur? One key word in that definition is “probable”—the probable frequency and probable magnitude. The estimation of probability is a key concept when dealing with risk.
- Risk Management. Risk management is the term used to define the full cycle of identifying, analyzing, assessing, and treating risks. One normally uses a risk management framework to govern that overall process.
Four Methods of Risk Treatment to Consider
There are four primary methods of dealing with risks:
- Avoidance. As an example, let’s say your company has a risky business process. The company could simply decide to discontinue (or eliminate) the business process, which would, by extension, eliminate the risk—thus, avoiding it.
- Acceptance. Assuming an entity believes the risk is within its risk tolerance, it simply acknowledges awareness of the risk “as-is” and accepts it.
- Mitigation. Risks can also be mitigated, or reduced, until they are at an acceptable level. This is often done by applying controls that lessen the likelihood and/or impact of bad things happening. The lower risk has been mitigated, and the residual risk is accepted.
- Transfer. The classic example of this is transference through the purchase of insurance policies. In some cases, risks can also be transferred by outsourcing business processes to other companies.
Risk Assessment Best Practices
The reality is that there’s no such thing as a perfect assessment to identify and measure every possible risk – if you wait for a perfect assessment before acting, risks will go unaddressed for a long time. But there are some best practices that most organizations should think about, regardless of their particular industry or compliance requirements.
- Know that doing some kind of risk assessment is better than doing nothing. To prioritize risks, focus on the likelihood of a particular threat happening and then look at the possible impact of that threat to the organization. To put risk assessment in mathematical terms, likelihood x impact = risk. Once you have done this for each of the threats that you are evaluating, what you and other members of your management team decide are the highest risks should be the items that get the most attention soonest.
- You need to measure these risks in a regular, repeatable way over time. You shouldn’t use one approach for measuring risks one time and then a totally different approach the next time, or you won’t get an accurate understanding of risks, and you won’t be able to compare them over a period of time to determine the progress the organization has made.Use a consistent risk assessment process as well as a consistent risk rating system each time you do an assessment. Having that consistency of what you’re measuring and how you are measuring it will arm you with the information you need to help guide your organization. And after all, at the end of the day, that’s the most important thing you can do as a security professional – help your management team make well-informed decisions about security risks.
- You can anticipate changes in the risk areas and compliance requirements that may affect your organization before they happen. A great way to do this is to get plugged into a local or national trade association in your industry. You’ll hear chatter about changes that are coming, and you can factor that into your own organization’s considerations and plans.The same goes for industry publications. Often, the writers will be plugged into what’s happening and be publicizing any changes long before they occur – after all, breaking news is one of the key objectives of those in the media.Another great way to get informed is to attend conferences and events. These forums allow you to interact directly with the people involved with bringing about any changes in your industry, and they are typically the place where such new initiatives are first announced. They also offer a good opportunity to discuss those changes with colleagues in a relaxed atmosphere.
Risk Assessments Should Provide Value
One very important thing to remember regarding security risks is that they are rarely the most important issue facing your organization. Often, I encounter security professionals that forget that security risks are not all that the executive team is thinking about or accountable for.
There are other business-related factors in the organization that you may not know about that could play a role in determining the true risk of security weaknesses and whether your recommendations are implemented. Put things in perspective as best you can, and, once you’ve presented the security risks to your peers on the leadership team, rest easy. As long as you are providing quality information–and not just regurgitating geeky technical data to non-technical people who may not understand it–you’ll continue to provide significant value to the organization.
LBMC’s Risk Assessment Process
Our risk assessment process covers the three pillars of security:
- We start by interviewing key personnel who administer or oversee IT security and privacy functions.
- We review security policies, processes, IT systems, logs, and training materials to compare them to regulations relevant to the financial industry.
- We perform a variety of automated and manual assessments to assess your information security system and identify areas that could pose a threat.
We then synthesize this information into a current state assessment report and compare your financial institution’s standing to other relevant security frameworks.
Finally, we deliver an executive summary report. The report provides a clear understanding of your financial institution’s progress toward enhancing its cybersecurity posture while achieving and maintaining regulatory compliance.
Our methodology combines aspects of:
- NIST SP 800-30 Rev 1, “Guide for Conducting Risk Assessments”
- Industry threat identification resources
- Guidance disseminated by regulatory authorities
- Real-world experience conducting assessments in financial institutions of all types and sizes. Software solutions are also available to streamline your risk assessment process with an intuitive, automated tool.
Take Control of Your Risk Management & Assessment Process
Taking all aspects of risk management into consideration can seem overwhelming, but it doesn’t have to be difficult. Contact LBMC Information Security today to schedule your risk assessment.