The current state of risk assessments is in serious need of an upgrade. Risk assessment isn’t the sexiest topic, but it can’t be ignored, especially when you’re trying to pass an audit or protect your business from serious threats. It’s a fundamental concept but one that isn’t being done well and often, or many times isn’t being done at all. A survey of InfoSec auditors found that the three most commonly missed controls in a SOC 2 audit were risk assessments, penetration tests and internal audits.
Whether it’s a matter of being viewed solely as a nuisance, or not understanding the process, or something else entirely, risk assessments aren’t being done the right way – and that can lead to multiple problems for businesses. A risk assessment is the only part of an InfoSec program that ties back to the “business risks,” which is what the CEO and Board of Directors care about. So, it’s too important to be ignored or done half-heartedly. It’s time for a risk assessment redo.
Understanding the risk assessment landscape
When looking at risk assessments, there are three main types of risk: financial, privacy and information security. To a certain degree, there is overlap between these three (think of it as a Venn diagram of risk), but the focus here is specifically on InfoSec risk – while acknowledging there is a crossover at times, particularly with privacy risk.
Security risk is primarily focused on the ramifications of a potential breach and what needs to be done to avoid this. In addition, risk assessments are one of the most critical tasks for completing SOC2 and ISO 27001 audits, since it is the source of what you need to include in your audit scope of security controls.
What’s plaguing risk assessment
A primary issue with risk assessment is that it’s too often treated as an afterthought. It’s put into a spreadsheet, with a handful of risks outlined, and then shoved into a drawer, where it is then more or less forgotten about. A company can pull it out when an auditor or the boss asks to see it, but there isn’t necessarily a system to ensure that all the controls laid out have been implemented.
And, in part, due to being treated as an afterthought, many organizations then must scramble at the last minute to complete their risk assessment to pass the audit and get their certification. When this occurs, the assessment typically isn’t comprehensive, it misses many things, and it’s done in an overly accelerated, sometimes sloppy way.
What needs to happen first with risk assessment is identifying your risks; this requires a comprehensive look. Once you’ve located the risks, you need to think about how you’re going to mitigate them.
In addition, most risk assessments don’t include a list of specific security controls, but these are essential to show how that InfoSec policy will be converted into action. Instead, people up-level their mitigation plan to vague statements that are difficult to explain and even more daunting to operationalize. It would be best if you defined specific controls associated with each business risk, so you have an actionable task to mitigate each risk.
Most people don’t have any “connective tissue” validating that the controls outlined in their risk assessments have been indeed mitigated and at all times. For example, if you stop encrypting data at rest, your data protection risks are exposed again. If you care about risks, you need to make sure your controls are what they call in the industry “operational.” Otherwise, your initial risk remains.
Three keys for a better approach
Cyber risk is too significant a reality to treat in such an offhand manner. To get back on track, use these three keys to better risk assessment and control:
- A risk library tied to strategic objectives – Spend the right amount of time thinking about all your business risks. Most risk assessments fail during this stage since many people don’t know which risks to consider. Fortunately, there are now automated tools on the market that have comprehensive risk libraries to help you out if you’re unsure which risks to consider.
- Mapping controls to risks automatically – Ensure your risks are reduced by defining detailed mitigating controls to each risk. If you do not know which controls to define, there are automated tools that map risks to sets of controls for you.
- Make sure you know if those controls are operational in real-time – You must actually prove that your controls are operational. If it’s just an Excel sheet in a drawer, you can’t do that. Proof means that a control has been implemented and remains operational (which means you have evidence that the control is still in place). Again, automated InfoSec management tools take the pain out of this process by automatically collecting evidence and verifying that your controls are operational in real-time.
It’s all about mitigation
The state of risk assessments in the U.S. is lagging. Most auditors would say that most of their clients don’t even have one today, and it’s an afterthought until it comes to the SOC 2 attestation process. If they have done them, they are often done poorly, frequently not identifying the right risks or enough risks. But InfoSec is all about risk mitigation: identifying what you value first and then defining how to protect it. Use the three critical steps noted above to redo or initiate your risk assessment process, and you’ll be on your way to a happier board and a more secure organization.