Choose language:
Pratite nas:
back

How to (really) add value to business with IS risk analysis

27.07.2018

Risk analysis – very few standards and legal/regulatory requirements in information security universe go without it. Can it be used for something else besides getting a certificate or avoiding regulatory fines?

So, you've decided to run information security risk assessment. Most likely you’re a company’s CISO or a member of a bigger security team.
 
It's likely that your company is striving to comply with legal or regulatory requirements like GDPR, PCI DSS, NIS Directive or some security standard, such as ISO 27001. 
 
All these legal and regulatory frameworks as well as information security standards are based on risk assessment, since it is the only approach which allows companies to formally assess and document their overall exposure to information security threats and formally prove how well they manage their risks. Basically, it allows us or should allow us to formally “measure” how secure we are but from a wider perspective. 
 
Ok, so you’ve got yourself reputable consultants to support you throughout the process. Your assessment methodology of choice has some clever math to ensure reliable and consistent results. You went through the numerous workshops and got some great looking reports in return, with nice colors and smart charts.
 
And you’ve paid pretty penny for all of that.
 
Compliance requirement: risk assessment – check!
 
However, is that all you can get from the risk assessment?
 
You can take another, more proactive angle at the whole process and use risk assessment as a powerful tool to enable positive changes within your organization, make it more secure and perhaps, the management’s favorite, save some money in the process.
 
I’ve seen some good and bad examples of how risk assessment is put to use throughout my consulting / auditing career. Very often, the risk assessment ends as a complex process, which requires lots of resources, but unfortunately produces results which do not provide expected value for the company. 
 
Here are some thoughts on how to get something more out of it besides meeting compliance requirements (and getting shiny report, of course) and use it to get your company to understand information security a bit more seriously:
 
1. Tailor the methodology to IT environment specifics
 
People tend to conduct overly generalized assessments. A “server” can be a Windows or a Linux server, each having its own set of specifics, vulnerabilities and exposures. Talk to your IT staff or get external help if you don’t have the technical expertise. Keep an eye on major vulnerabilities announced by vendors of equipment key to your company. Understand the threat landscape. Exposure to hacker attacks won’t be the same for a large, well known, bank and for a grocery store. Generalization is tempting because you’ll get the assessment done quickly and without much effort, but you’ll get equally generalized results and you won’t know what to do with those.
 
2. Always put risks within business context
 
Some things are sadly all too familiar. Risk assessment is performed as if IT or infosec is an island isolated from the rest of the company. Every laptop, server and application have a purpose – to help company do its business and people conducting assessments tend to forget that. Actual risk impact is much more than value of an IT component. Also, key stakeholders within the company will have much easier task understanding the risk if you present it as something like “our sales will come to stall for a couple of days and since we make X transactions worth about Y on average per day, that means Z amount in lost revenues should the risk make an impact” then “the server is gonna blow up because of some Star Trek stuff”. You’ll get much less “what a geek!” gazes. Maybe you’ll even get some money to fix that vulnerability that’s been bugging you for so long.
 
3. Talk to people
 
You’ve done your homework and learned something about the business context. Now it’s time to go out and spread the word. Assessment results won’t be very useful if you just archive them once you pass the certification audit. Use the results to promote security awareness within your company. Organize some workshops on how to do things the right (secure way). Make a nice PPT for department heads. Give ‘em a real life story on why keeping entire HR database on a single laptop instead of shared storage is a bad idea. I’ve read some reports on research showing that almost 80% of security incidents at least partially originate from low awareness and neglection of security rules. Work on that. Most likely you’ll boost your reputation within the company too.
 
4. Confirm the results
 
The very nature of the risk assessment is POTENTIAL risk impact. And you’ll want to get some money to implement decent security measures. It may be a difficult pill to swallow for some people, who may be reluctant to make big decisions based on some abstract assessment. Get an audit or perhaps a pen test. Your claims will have much more weight once you have a confirmation from neutral party.
 
5. Be a part of the solution, not just the problem
 
The very nature of the risk assessment is POTENTIAL risk impact. And you’ll want to get some money to implement decent security measures. It may be a difficult pill to swallow for some people, who may be reluctant to make big decisions based on some abstract assessment. Get an audit or perhaps a pen test. Your claims will have much more weight once you have a confirmation from neutral party.