CEO Insider

Revamping Risk Assessment

Patrick Murray
Patrick Murray

As currently practiced, risk assessments need to be revamped. This isn’t a topic that typically tops the priority list, but it needs to be addressed – particularly if you’re trying to defend your business from threats or pass an audit. Risk assessments aren’t being done the right way – whether organizations view them as a nuisance or don’t understand the process – which can lead to multiple problems for businesses.

In many cases, risk assessment isn’t being done at all. The three most commonly missed controls in a SOC 2 audit are risk assessments, penetration tests, and internal audits. Of those, a risk assessment is the part of an Infosecurity program that ties back to the “business risks,” which is what the CEO and board of directors care about. So, it’s too important to be ignored or done half-heartedly. It’s time for a risk assessment rethink.

The current risk assessment backdrop

There are three primary kinds of risk in terms of assessments: financial, privacy, and Infosecurity. To a certain degree, there is overlap between these three (think of it as a Venn diagram of risk), but the focus here is specifically on Infosecurity risk – while acknowledging there is a crossover at times. 

Assessing security risk is mainly about the potential effects of a data breach and how to avoid this. In addition, risk assessments are one of the most important tasks for completing SOC2 and ISO 27001 audits, since it’s the source of what you need to include in your audit scope of security controls.

Risk assessment issues

Risk assessment is frequently seen as an afterthought or a check-the-box security item, and that’s a problem. It’s put into a spreadsheet, with a handful of risks outlined, and then shoved into a drawer, where it’s often forgotten. A company can pull it out when an auditor or the boss asks to see it, but there isn’t necessarily a system in place to ensure that all the controls laid out have been implemented.

Due to this mindset, some organizations scramble at the last minute to complete their risk assessment in order to pass the audit and get their certification. When this occurs, the assessment typically isn’t comprehensive, misses many things, and is done in an overly accelerated, sometimes sloppy way.

The first step of risk assessment is to determine what your risks are; this necessitates a comprehensive look. Once you’ve located the risks, you need to think about how you’re going to mitigate them. In addition, though most risk assessments don’t include a list of specific security controls, these are essential to show how the InfoSec policy will be converted into action. But often, people up-level their mitigation plan to vague statements that are difficult to explain and even more daunting to operationalize. Instead, you should define specific controls associated with each business risk, so you have an actionable task to mitigate each risk.

Some organizations lack validation that the risks outlined in their assessments have been mitigated at all times. For instance, if you stop encrypting data at rest, then your risks for data protection are exposed again. If you care about risks, you need to make sure your controls are what they call in the industry “operational.” Otherwise, your initial risk remains.      

A better process: three keys

Cybersecurity is too important to bolt-on at the last minute. To lay a solid foundation, use these three keys for better risk assessment and control:

  1. Automatically map controls to risks – Reduce your risks by defining detailed mitigating controls to each risk. If you do not know which controls to define, there are automated tools that map risks to sets of controls for you. 
  2. Verify your controls are operational in real-time – You need to be able to provide proof that your controls are operational. If it’s just an Excel sheet in a drawer, you can’t do that. Proof means that a control has been implemented and remains operational (which means you have evidence that the control is still in place). Again, there are automated InfoSec management tools that take the pain out of this process by automatically collecting evidence and verifying that your controls are operational in real-time. 
  3. Get a risk library that’s tied to strategic objectives – Think deeply about all your business risks. Most risk assessments fail during this stage since many people don’t know which risks to consider. 

Mitigation is the goal

The current way of conducting risk assessment needs a major overhaul. Some organizations don’t give this important step a second thought until they need to complete the SOC 2 attestation process. Those that have conducted these assessments typically do them badly, often not identifying the right risks or enough risks. Armed with the best practices described above – and making use of available automation tools —  you will be equipped to create a solid risk assessment process that will make your board and the entire organization happier and more secure.

Written by Patrick Murray.

Track Latest News Live on CEOWORLD magazine and get news updates from the United States and around the world. The views expressed are those of the author and are not necessarily those of the CEOWORLD magazine.
Follow CEOWORLD magazine headlines on Google News, Twitter, and Facebook. For media queries, please contact:
Patrick Murray
Patrick Murray is Chief Product Officer and early founding member of Tugboat Logic, the Security Assurance Platform that helps demystify and automate the process of managing your InfoSec program. He has over 20 years of experience in product management at both early-stage security startups and public companies such as Zenprise, DataVisor, and Websense. He specializes in building new companies from the ground up to thriving businesses and has built products across a variety of security areas including Web security, cloud security, mobile security, email security, data loss prevention, and online fraud prevention. Patrick Murray is an opinion columnist for the CEOWORLD magazine. Follow him on LinkedIn.