Risk Assessment Q&A

The scale of what risk assessments cover varies based on the provider, in your opinion, what should impactful risk assessments include?

While Risk Assessments vary by scope and methodology, some focus areas are common across all types. All risk assessments must address the risk “equation”; roughly, threats times vulnerabilities times impact equal’s risk. A risk assessment must consider the threats to an organization, which may be sector or enterprise-specific. Are they more at risk from nation-state interest? Are criminal syndicates hitting the industry hard? Are there certain personalities involved in the organization that draws the interest of hacktivists? How are their controls structured? Are their policies in place? Do they embrace cyber hygiene? What happens if the controls fail? What happens if the controls that are protecting sensitive data fail? It must explore where the organization is lacking in cybersecurity defenses and consider the cost to the organization if threats were to act on those vulnerabilities.

What are the steps of a successful security risk assessment model?

A successful risk assessment model solves that equation in a manner that is clear to the organization and provides prioritization to address the level of risk. Often it will be based on a specific cybersecurity framework such as NIST or ISO, or aligned with a specific cybersecurity regulation such as NYS-DFS. Ultimately, it must be a clear and coherent model for the organization to understand the process and the output.

What challenges do risk assessments help solve?

Most organizations have a general sense of their cybersecurity posture. They know about bad decisions they have had to live with, shortcomings of their systems, and challenges that others in their sector face. Risk assessments allow the organization to consider its posture through the lens of risk, which can be clarifying and objectifying. An organization may conceptually recognize that poor software development management is a risk for them. However, if a risk assessment identifies that as an area of concentrated risk such as the types of data they manage on that software, it can make this risk more tangible. Organizations know where they have problems: the priority of the problems is often the unknown factor.

Why are regular security risk assessments important?

Risk changes. Threats shift, new vulnerabilities are introduced, and important systems change in their impact prioritization. Organizations that regularly perform risk assessments (at least every two years) can adjust their plans to address changing variables.

What is the value in a third-party conducted risk assessment vs. an internal risk assessment?

I compare it to the challenges of self-editing. When you review your work, you are prone to fill in gaps, make assumptions, and fail to see what it looks like from the outside. An external reviewer will make fewer oversight mistakes and provide the added value of non-bias. They are not attached to specific projects or have a stake in outcomes internal teams might have. Additionally, an external reviewer can leverage experience assessing similar sizes or types of organizations and help an organization better understand threats and possible impacts.

How are security leaders using risk assessments to justify budget requests?

Risk assessments let security leaders organize their investments by risk, which is a very compelling way to indicate prioritization. Risk isn’t the only justification; sometimes you need to make investments to support business needs or meet an obligation. However, when a security leader is asked, “Why are you spending money here” a risk assessment identifies the need and how the investment will address the need, putting them in a much stronger position.

Where do risk assessments and regulatory maturity compliance overlap?

Risk assessments and regulatory maturity compliance assessments overlap because both are looking to assess the strength of controls. In maturity compliance assessments, the focus is on the controls concerning the expected level of regulatory or framework maturity. This is important, especially when addressing regulatory or stakeholder concerns. Where a risk assessment differs is that it will analyze the maturity of the controls in light of the additional variables such as threat and impact. This analysis adds the appropriate prioritization, which is critical for planning remediation efforts after an assessment.

How should security leaders leverage risk assessment results in executive and board-level meetings?

The first thing everyone should consider with a risk assessment is what the output will tell executives and board members. Is the risk high because the threat environment is high, my controls or weak, or the impact is significant? It is key to reverse engineer the top level (number of high-risk findings, etc.) and explain it in light of the organization’s risk story. The best security leaders can use a risk assessment to justify further investments, support current programs, and reduce liability if larger business decisions incur risk. Risk is part of all business decisions, and risk assessments allow security leaders to talk about cyber security risks with greater clarity, evidence, and rationality.

How does K logix help?

We offer white glove security risk assessments custom tailored to customer-specific requirements. Our assessments are mapped against industry standard frameworks and informed by years of in depth experience. Our goal is to help organizations best identify, act and improve on what they are doing in their security program.