For a long while, companies in highly regulated industries were the main ones to undergo security risk assessments. But, that has dramatically changed in recent years. Today, risk assessments are critical for every business, from K-12 schools and government entities to hair salons and the donut shop down the street. Everyone needs them, but unfortunately — no one likes them. In fact, many organizations have come to dread the entire process. If a business is in need of a risk assessment — and trust me, they all are — and the security team is already stressed about what’s to come, read on for six ways it can be improved.
Understand the organization’s greatest risks and start there.
The entire point of a risk assessment is to identify security gaps in order to create a plan to remedy them. Different businesses have different needs, which means they’ll have different security priorities. Yet, many risk assessments are structured in a one-size-fits all format. The first step in making risk assessments more palatable (and valuable) is to figure out what is most important to each individual business.
For example, let’s consider an apple orchard. Getting adequate water to the trees is one of the top priorities, meaning that the systems that provide the water are a top priority. As such, they’re also one of the orchard’s greatest risks. A well-prepared risk assessment should factor this in, and make sure that the systems that deliver water to the orchard are the ones that are safeguarded first. Locking down the computer an administrative team member uses to make social media posts, on the flip side, might be a less of a priority in this case and therefore further down the list of things to focus on.
Be clear about risk tolerance.
Just like one organization’s greatest risks won’t be the same as those of the next organization, their appetite for risk also varies. Again, most risk assessments don’t take this into account. Instead, each entity is treated as if it’s able to withstand the same severity of risk as the next organization.
Of course, that isn’t the case. I work in cybersecurity, which means my tolerance for risk is higher than most other business practitioners. Whereas having my name, title and business address plastered all over presentations and websites is fine with me, teachers are not going to provide the same level of personally identifiable information (PII) about their students. Security professionals must be clear about the organization’s risk tolerance, and about which pieces of the business are mission-critical in order to ensure their risk assessment is accurate and useful.
Keep it simple (and human).
Another major problem with most risk assessments is that they’re confusing, way too long and far too technical. Even though IT folks are often the ones conducting the assessments, it’s almost always business folks who are reading them and making plans to act on them. This creates a language disconnect that can be incredibly harmful to the security mission, as executives are less likely to approve measures they don’t understand — especially if they’re expensive.
We have to make sure a risk assessment is appropriately thorough for each business, but doesn’t go far deeper than needed. A thorough and appropriate risk assessment should take two to four hours to complete in total, not weeks or months. Also, find out how the report is presented. Does it convey risk through the lens of business impact? The findings that are given should be prepared in such a way that a layperson within each industry could grasp them easily and quickly.
Streamline the process — and delegate.
The mechanics of completing a risk assessment are usually a big part of what makes them dreadful. Practitioners have to build spreadsheets, initiate secure file transfer requests for data, sort evidence, ensure version control, keep everything organized and translate it all into something useful at the end. Not only is this cumbersome, but it’s also downright overwhelming.
Risk assessments have to be comprehensive to be effective, but that doesn’t mean they can’t be simplified to save everyone time, spare them headaches, and give them a true understanding of what the organization’s risk really looks like. This is why it’s important to conduct a risk assessment that streamlines the process from start to finish. Ideally, the assessment team should help figure out how to delegate who answers which part(s) of the assessment and what the quickest way is to make that happen.
Go beyond compliance.
If you’re in an industry bound by compliance (e.g. education, government, medical, insurance, finance, defense, etc.), remember one thing: compliance does not equal security. Read that again. While being compliant does not immediately mean your organization is secure, a secure organization will always result in better compliance. This isn’t to diminish the importance of compliance, but rather to emphasize the importance of taking additional risk reduction measures beyond your compliance checkbox.
The security team should absolutely conduct Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), CJIS and other assessments, but then need to take the opportunity to improve and optimize your security posture outside of them. By stepping back and taking a more holistic approach to the way risk is assessed and managed, organizations will be positioned to achieve their goals while also maturing and improving their programs.
Get clear on next steps.
Finally, one of the biggest gaps in most risk assessments is that they’re not actionable. They provide a list of everything that’s wrong about an organization’s current practices, but no roadmap for how to make changes. This is not only frustrating, but also completely ineffective and a waste of a good risk assessment.
Make sure that whomever is providing the risk assessment not only gives the outcome of the assessment, but takes the time to help identify a path forward to improve the organization’s security posture. Remember in steps 1 and 2 of this article we talked about risk prioritization and risk tolerance. The provider that’s conducting the risk assessment should take those things into consideration when putting together a highly customized plan for what should be done next. Ideally, they should prioritize actions that can be taken to improve security so the security team can implement measures based on what will deliver the greatest impact and is most manageable.
With the way most risk assessments are set up and conducted, it’s completely understandable why so many businesses, schools, state and local governments and nonprofits dread them. It doesn’t have to be this way. Take the steps outlined here to move toward a smoother risk assessment process and much tighter security. Get ready to breathe easier.