If you asked me what the first item of business would be for me as a new CISO or CIO in an organization, my answer would be to perform a cyber security risk assessment to improve overall security management. Actually, I’d probably install an espresso maker, but risk assessments would be a close second. Having a risk assessment done involves identifying the main functions or processes in your business, then qualitatively measuring risks associated with each.
Since time and resources are limited, risk assessments should center around the most important things for your business. For example, if you are an online retailer, your risk assessment should focus on resource availability and credit card data confidentiality. If you are a health care provider, your priority would be protecting patient data and keeping real-time medical systems available.
Risk assessments are valuable because they provide a road map of vulnerable business processes, allowing you to focus your time, tools, attention, and education where the organization needs it most, or the cyber risk is highest. As a third-party risk assessor, here are some tips and tricks I’ve picked up over the years that I’d like to share with you.
1. Prepare Your Staff
If you’re having a third party perform the cyber security risk assessment, inform your staff that the assessor is coming and let them know: (this next part is important) THIS IS NOT AN AUDIT. A third-party assessor is hired by you, to help you. In other words, they work for you and are here to help you improve. A risk assessor’s job is to identify all the areas where information systems could be compromised. Sometimes I’ve had companies try to hide “dead bodies,” and I just scratch my head. I’m not here to get you in trouble for having the bodies. I’m here to help you mark them on the map and figure out a strategy for what to do with them.
2. Your Executives Probably Don’t Know Where the Risk Is
If I’m performing a risk assessment, I’ll happily talk to your executive team as a meet-and-greet and fill them in on all of the great projects you’re doing. I’ll even share the benefits of a risk assessment and evangelize how this investment will pay off for years. However, I don’t walk into their offices under any auspices that they know about the risks that exist in the organization, because 99 percent of the time they have no idea. When we’re discussing the risk assessment schedule, I’ll gladly meet with your C-suite, but I’ll spend a majority of my time with the individuals who are hands on with the information assets or systems.
3. Get Your Head into the Clouds
A risk assessment isn’t complete unless you look at your entire information system footprint, including the cloud. Avoiding scrutinizing the data and applications you use in the cloud during a risk assessment is like checking a vehicle for safety by only walking around the outside. Ensure you follow the full lifecycle of your data from creation to disposal. In many environments, that includes some sort of cloud infrastructure. Before having a third party come in, ensure they are “cloud-aware” and can help you define your cloud-based business processes and the risks that surround storing, transmitting, or processing data in those types of environments.
4. Make Sure You Have Some Humans
You can have an outstanding suite of policies with some technical controls in place, but if there isn’t at least a human, or team of humans to update the policies and provide enforcement, that’s a big risk to the organization. There’s a tough line to walk here because hiring the wrong person for a position can be just as detrimental as having a vacancy. If you’re having problems filling a CISO or Information Security Officer role immediately, consider hiring a temporary or virtual CISO (vCISO). vCISOs can run at your pace and make progress on your security goals (or help you define them) until you are able to hire a longer-term employee.
5. Construct a Living Risk Assessment Document
If you’re having a third party perform the risk assessment, ensure they provide deliverables to you in a format that allows the assessment to be updated as circumstances change. For example, if part of the deliverable is a spreadsheet, make sure there are columns where risk treatment can be documented as well as an area where controls can be updated to reflect the current situation. A risk assessment should be a living document that is updated periodically and contains your strategy for managing risk in your information systems.
6. Your Technology Isn’t Enough
It’s exciting that you have a bright, shiny new tool or technology to leverage to help protect your organization. Unfortunately, that’s not enough for a risk assessor to evaluate a business process as sufficiently protected or low risk. At some point, that tool will alert you to suspicious or malicious behavior on your information systems. What personnel are in place to handle those cases? Configurations are another sticky point. If the tool isn’t configured correctly, it might not provide the best protection.
Risk assessments are powerful tools for information security leaders. They can lay out in qualitative terms where the biggest risks to your business are. From there, you can leverage the results of a risk assessment to concentrate your time, money, and effort on modifying your people, processes, or technology to reduce the risk to a minimum acceptable level. Prioritize the espresso maker, but don’t forget the risk assessment.
Check out more information about our risk assessment services.
You can follow Ryan Clancy on Twitter @RyTheCyberGuy.