How to perform a risk assessment: Rethinking the process

The world has changed significantly in the past two years, and so have the rules around assessing cyber security risk. A combination of greater digital business penetration, a wider array of risks, and bigger consequences of cyber threats have made the world of risk management both more complex and more important than ever.

Sadly, word hasn’t yet gotten out that risk management is an essential part of today’s business operations. According to this PwC study cited by Silicon Republic, 40 percent of Irish companies are failing to do any risk assessments whatsoever.

Gartner’s IT Risk Management report from last summer tried to address the growing complexity of this space and divided the market into seven different segments, including auditing, vendor risk management and operational risks. It presented a magic quadrant of ten vendors, including ServiceNow, Dell/RSA Archer and others. They recognized that the market is evolving rapidly as IT buyers are looking for more comprehensive solutions that can be deployed across a wide range of conditions and workflows. 

Things are moving so quickly that even a year-old report is somewhat outdated. Let’s look at these changes and then discuss what you can do to improve your processes, change your organizational structure, and be better prepared to understand and address future cyber risks to your business. 

Change #1: Security is now everyone’s concern

Information security now is something that is the concern of the entire enterprise, and no longer the exclusive domain of the IT department. “Until 18 months ago, most companies viewed cyber-based risks as strictly under the purview of their IT departments,” says Charles Jacco, a principal at KPMG’s security services practice.

“It really is the ultimate cross-functional challenge for today’s business,” says Sean Convery, vice president and general manager for the Security Business Unit at risk management vendor ServiceNow. “This means managing risk has gotten more complex than when everything was wholly contained within the IT department.”

As companies have moved more of their business services and products online, the consequences have become corporate-wide. “Services are now managed by different parts of the organization, which means that data silos are ending and risks are getting more complex,” says Convery. Add to this the trends that malware threats are becoming more complex, more targeted and more difficult to detect and a data breach can now affect everyone in a business, ruin customer and partner relationships, and harm shareholder value in public corporations.

Change #2: Businesses are increasingly subject to tighter governmental controls

This ups the risk ante as well as the eventual price tag should data leaks occur. Companies can face significant fines, not to mention public shaming and reputation loss. This doesn’t mean that corporations should be managing risk just for compliance reasons, which was typical behavior from several years ago. It needs to be part of any company’s overall operational DNA.

Change #3: Cyber risk assessment now requires a unique skillset

While overall business risk management is taught in every business school in the world, understanding cyber risk requires a unique combination of skills and experiences. “This cuts across multiple lines,” says Inga Goddijn, vice president at Risk Based Security, a risk analytics vendor. “IT security managers shouldn’t be solely responsible for making strategic decisions about acceptable risk levels. Organizations need to invest a lot of time and thought into what to do to be secure enough, and understand the processes involved.”

David Froud, who often blogs about this topic, has written, “Security out of context has no business benefit.” The challenge is finding staffers who come with that context already. He also complains that risk assessments are often done at the end of a project rather than at their start. “It’s far too specialized and has never been seen as a true value-add to the business.” 

Process improvement to better assess risk

IT security management staff now must better understand risk in terms of the overall business and security context. To do this, they need to work with other stakeholders to properly prioritize those risks and redefine the role they play in quantifying and monitoring risks. That will take the form of the following steps:

Step 1: Get management buy-in

There needs to be better buy-in at the top levels of the business, including the board of directors. Froud suggests a multiple-step procedure to map your business assets to processes as a way to establish a “risk register” that all stakeholders can agree on. “We need to separate risk management from the day-to-day operational job of the CISO.

Businesses need more checks and balances here,” says Jacco. He suggests the creation of a new position called “chief risk officer” that reports directly to the CEO or CIO and is always part of board of directors’ meetings. This person should have the task of figuring out key risk indicators of the business and setting thresholds that the business can accept.

“We need to bake in cyber risk management into every other business risk and then the CISO needs to figure out how to deliver that level of service and security.” Ryan Layton, CEO of Secuvant Security Services, a risk management service provider, says, “Many companies are addressing cybersecurity from a technical perspective. We believe it needs to be under the risk management umbrella and executive led.”

Mike Lettman, the Arizona state CISO, understood that he needed to get the buy-in from all of his state agency heads early on when he was shopping for a new risk management tool. “Everyone is resistant to change, but you have to learn how to tell the whole story about why and how this is important and be able to build trust to help our constituent agencies to protect their own assets and show the value of what you are trying to do.” After he installed his risk management system, he says they found more than 20,000 vulnerable systems across their IT networks alone. “We had all sorts of configuration problems.”

Step 2. Do more periodic vulnerability assessments

It is time to turn the conversation away from what is or isn’t included or how it is measured, and instead implement something that is consistent and corporate-wide. “Understanding the business landscape is the best factor for managing risk,” including cyber-based risks, says Layton. This means knowing what drives your business and the risks that have the most impact on your business.

“Vulnerability assessment is just a meaningless buzzword,” says Arizona’s Lettman. “No one uses it consistently and you need to understand what is actually included in the activity anyway. Ideally, an assessment should go into more detail, and show you not just which devices are patched and applied correctly, but whether or not the configuration of the device has been corrected as well. Risk management is more about a deliberate, consistent and complex activity. It takes dedication and discipline.”

Step 3. Perform continuous, not discrete, risk assessment

For many businesses, the principle software tool for managing risk was a list of projects in Microsoft Excel that was manually updated and distributed irregularly. That doesn’t cut it anymore. “We are nowhere near this level for the majority of businesses,” says Jacco. “Most of our clients are just now starting down this route. The issue is that businesses are no longer static entities with discrete production releases every quarter. Nowadays, they interact with their customers more frequently and do so across different devices such as web and mobile. You also see daily or even hourly software updates. The app that I rolled out two hours ago isn’t the same as the code that I had in production this morning. That means you have to continuously assess risk.”