Those of us in the information security, cyber security, or data security industries are very comfortable with the exercise of completing a risk assessment. Regulation requires it for most disciplines, and those taking the progressive step of understanding their organization risk utilize frameworks that address the need for a risk assessment. It is very early in the “process”, and it repeats at least annually in most cases.
I would suggest that it is time for us to take a look at our approach to this activity, and the results of the work. Pointing to the simple explosion of data breach events and the unwieldy number of vendors reaching out for the newest technology silver bullets, my executive lens tells me we “just ain’t doing it right”.
A few red flags that it is time to revisit your approach and maybe source a new party to perform the assessment this year:
- Does your Executive Team understand it? Can they explain it or do they require a consultant to provide a summary every time it is presented?
- Does your Board understand it? In other words, do your Directors have a clear view of business and strategic risks presented by the information systems in place to deliver its services to clients\customers?
- Within IT itself, do you even review or use the ISRA in actual incident response, business resiliency planning, or table top tests? If not, maybe it isnt telling you anything valuable.
- Do you ever look at it between your annual compliance event? If not, you’re checking a box.
- Do you simply list security software as a control, or do you also identify the data you actually give to your software in order for it to work? An indicator of a well thought out ISRA is one that recognizes the expansion of data sets (increased dispersion) required by the tool.
- Be honest, would your CFO or CEO approve the budget for an assessment if an examiner or auditor didn’t ask for it?
- Is your answer to when you are approached with specific tools/methods to improve your risk posture, something like this: “This is a great opportunity. I see the value and think it could really help, but our auditors are not asking for it yet.”
By definition, heck, by the DNA of what a risk assessment is, a proper ISRA almost requires ongoing change. Risk is living. Most of us do not comfortably come to a conclusion that our habits may not have the impact we wish they did. In my opinion, we are at a cross roads with two choices. We either say the threats are so big, so prevalent, so effective, that our efforts cannot stop them; or our approach to understanding our risk profiles needs to mature.