7 Steps to Start Your Risk Assessment
Risk assessment can be complex, but it's vital for making good decisions about IT security. Here are steps to start you down the path toward a meaningful risk assessment process.
October 4, 2018
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltc4fefe1d6a668e8a/64f0d59462fadc11bb497c83/Image_1.jpg?width=700&auto=webp&quality=80&disable=upscale)
"Managing risk is one of the most, if not the most important, functions in an organization," says Tony Martin-Vegue, enterprise security management strategist for LendingClub, a peer-to-peer lending company based in San Francisco. "It's really important to have a structured, formalized process for measuring risk, managing risk, and the entire remediation process."
If a formal process is the best way to assess and manage risk, then what sort of process should an organization use? "The most commonly used risk model is the mental model of the person waving their wet finger in the air," says Jack Jones, executive vice president of research and development at RiskLens and chairman of the FAIR Institute. "And mental models are notoriously flawed," he says. The reliance on flawed mental models is one of the many reasons Jones says that the IT industry is horrible at properly assessing risk.
How does an organization go about finding a better model and using it to figure out what their risk is? There are a number of options, from NIST SP 800-30 to aspreadsheet-based model that can be found from a wide variety of sources with a quick Google search to FAIR — Factor Analysis of Information Risk.
Large organizations will have teams dedicated to assessing and re-assessing risk on a regular basis. Small organizations may lack the team, but they will not lack the need to understand what risks IT faces and how those risks are reflected in the rest of the business units.
"I don't feel any organization can even begin to think about what it wants to do from an information security perspective without making some proper attempt at being able to understand the risks that matter most to their organization," says Zulfikar Ramzan, CTO of RSA. "I don't want this to be confused with 'expensive' or 'complex' or, you know, beyond the scope of what I think even a small- to medium-sized organization can do," he explains. "What I really mean here is try to be a bit principled trying to look at it and get a more quantitative assessment."
Getting started on this quantitative path can be confusing, so Dark Reading researched the major frameworks and spoke with Jones, Martin-Vegue, and Ramzan to get their ideas on best initial steps. We found seven steps that apply to a variety of frameworks — and that are applicable no matter where the process takes your organization.
(Image: Alexas_Fotos)
How will you define the impact of a loss? It's easy to say that dollars are all that matter, but individual stake-holders may define the impact differently. "If you think about the concept of a risk owner, that is somebody who owns the risk, somebody who essentially has their neck on the line," says Martin-Vegue. "If something goes south, this is the person that's accountable."
Measurement is important because so many of the decisions to be made around risk assessment involve multiple business units and management teams. Martin-Vegue explains, "Let's say you can implement this new product that has a ton of vulnerabilities but it also gets me all of this new revenue - it increases my business. So what should I do?" he asks, continuing, "Should I put the new product in and take the risk with cyber vulnerabilities, or should I not put the product in and take the risk of not getting new customers?
Martin-Vegue points out that these are the sorts of decisions that involve multiple stakeholders from multiple business units. Without common definitions of terms, threats, and measurements, making those decisions in a rational way is all but impossible.
Why, precisely, is the organization going through the process of risk assessment? Knowing the reasons for the exercise, and therefore the audience for the final assessment, will help guide the language decisions in the report that results. "Risk assessments and risk management always always needs to support a management decision," says Martin-Vegue, adding, "Before you embark on any risk analysis you really need to ask yourself, 'what decisions am I supporting?'"
In almost all organizations, those decisions will come down to answering questions about how to spend resources. "When you look at risk and it being multifaceted as it is, it's very easy to overspend in certain areas and underspend and others," says Ramzan. "We have to make sure we think about risk with a holistic and balanced view that enables us to spend money in the correct ways."
Spending in correct ways is ultimately a decision for the executive committee, and a rigorous risk assessment leading to a report written in business language will support that decision. Jones says, "How I think about it is this: our problem space is complex and dynamic with a lot at stake, and we have limited resources. Every dollar that goes to us is a dollar that doesn't go to growing the business or other operation imperatives, so it's critically important that we prioritize."
Why, precisely, is the organization going through the process of risk assessment? Knowing the reasons for the exercise, and therefore the audience for the final assessment, will help guide the language decisions in the report that results. "Risk assessments and risk management always always needs to support a management decision," says Martin-Vegue, adding, "Before you embark on any risk analysis you really need to ask yourself, 'what decisions am I supporting?'"
In almost all organizations, those decisions will come down to answering questions about how to spend resources. "When you look at risk and it being multifaceted as it is, it's very easy to overspend in certain areas and underspend and others," says Ramzan. "We have to make sure we think about risk with a holistic and balanced view that enables us to spend money in the correct ways."
Spending in correct ways is ultimately a decision for the executive committee, and a rigorous risk assessment leading to a report written in business language will support that decision. Jones says, "How I think about it is this: our problem space is complex and dynamic with a lot at stake, and we have limited resources. Every dollar that goes to us is a dollar that doesn't go to growing the business or other operation imperatives, so it's critically important that we prioritize."
"Managing risk is one of the most, if not the most important, functions in an organization," says Tony Martin-Vegue, enterprise security management strategist for LendingClub, a peer-to-peer lending company based in San Francisco. "It's really important to have a structured, formalized process for measuring risk, managing risk, and the entire remediation process."
If a formal process is the best way to assess and manage risk, then what sort of process should an organization use? "The most commonly used risk model is the mental model of the person waving their wet finger in the air," says Jack Jones, executive vice president of research and development at RiskLens and chairman of the FAIR Institute. "And mental models are notoriously flawed," he says. The reliance on flawed mental models is one of the many reasons Jones says that the IT industry is horrible at properly assessing risk.
How does an organization go about finding a better model and using it to figure out what their risk is? There are a number of options, from NIST SP 800-30 to aspreadsheet-based model that can be found from a wide variety of sources with a quick Google search to FAIR — Factor Analysis of Information Risk.
Large organizations will have teams dedicated to assessing and re-assessing risk on a regular basis. Small organizations may lack the team, but they will not lack the need to understand what risks IT faces and how those risks are reflected in the rest of the business units.
"I don't feel any organization can even begin to think about what it wants to do from an information security perspective without making some proper attempt at being able to understand the risks that matter most to their organization," says Zulfikar Ramzan, CTO of RSA. "I don't want this to be confused with 'expensive' or 'complex' or, you know, beyond the scope of what I think even a small- to medium-sized organization can do," he explains. "What I really mean here is try to be a bit principled trying to look at it and get a more quantitative assessment."
Getting started on this quantitative path can be confusing, so Dark Reading researched the major frameworks and spoke with Jones, Martin-Vegue, and Ramzan to get their ideas on best initial steps. We found seven steps that apply to a variety of frameworks — and that are applicable no matter where the process takes your organization.
(Image: Alexas_Fotos)
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024