The current state of risk assessments is in serious need of an upgrade. Risk assessment isn’t the sexiest topic, but it can’t be ignored, especially when you’re trying to pass an audit or protect your business from serious threats. It’s a fundamental concept but one that isn’t being done well and often, or many times isn’t being done at all. A survey of InfoSec auditors found that the three most commonly missed controls in a SOC 2 audit were risk assessments, penetration tests and internal audits.
Whether it’s a matter of being viewed solely as a nuisance, or not understanding the process, or something else entirely, risk assessments aren’t being done the right way – and that can lead to multiple problems for businesses. A risk assessment is the only part of an InfoSec program that ties back to the “business risks,” which is what the CEO and Board of Directors care about. So, it’s too important to be ignored or done half-heartedly. It’s time for a risk assessment redo.