Unfortunately, many businesses today don't perform risk assessments at all or they mistake vulnerability assessments or penetration tests as a proper risk assessment, says Scott Laliberte, managing director at Protiviti. And among those who do go through the risk assessment process, many fail to go back and update it as the threat environment or business models change.
"In this case, the risk assessment becomes dated and misses key issues," he says.
So the first thing to remember about risk assessments is to actually do them. The second is to update them as the world changes. But there is more to it than that. Even organizations that do perform risk assessments make mistakes and forget to factor in important elements along the way. Here are the five most likely misses and what you can do to avoid them.
1. Inherent Risk vs. Residual Risk
According to Laliberte, many organizations that do perform risk assessments fail to calculate the risk before controls are applied, called inherent risk, against the risk left over after controls are applied, or the residual risk.
"They often go straight to residual risk," he says. "By comparing the inherent risk to residual risk, you can see the key controls that need to be monitored and enforced to ensure the environment remains safe."
[ Are you properly measuring the risk of cloud services against the benefits? See ABCs Of Factoring Risk Into Cloud Service Decisions. ]
2. Interdependencies And Data Flows Before an organization undergoes a risk assessment, it needs to have a proper understanding of the actual assets for which it is measuring risk, says Joe Beal, director of security services and CISO for CCSi. Often organizations fail to really survey their systems to find unforeseen dependencies of services or systems both inside and outside the firewall.
"For instance, you need to understand from the network perspective the interconnections, data flows, and behavior of your system in a normal state of operation," Beal says. "More importantly, having a true grasp on the type, size, and classification of the datasets that resonate in your system will play an integral role in determining and identifying true security risk to your system."
As he puts it, working to understand systems and the various inputs and outputs of its components will allow an organization to measure the true effectiveness of its risk assessment results.
3. Risk Is About Business
One of the biggest risk assessment gaffes Laliberte sees IT organizations commit is failing to involve line-of-business in the process of figuring out how IT affects business processes.
"A risk assessment should look at key business and IT assets, and consider the likelihood and impact of key threats and vulnerabilities in the environment," he says. "If the results of the risk assessment do not articulate risk in terms of business impact, the projects to reduce risk are often not adequately funded or supported."
Organizations need to go a step further than that, says Torsten George, vice president of worldwide marketing and products for Agiliance. Not only do leaders from across the business need to be involved, but the vocabulary of risk needs to be normalized so that everybody is on the same page.
"Often organizations will allow different business groups to establish their own risk definitions and nomenclature," he says. "This creates significant challenges when rolling up and assessing risk across the enterprise."
He suggests using a centralized risk register or catalog that has been developed with the help of business unit stakeholders to better collaborate in the long term.
"Using a common nomenclature provides a framework to gather risk data from different business groups, and ultimately enables easier aggregation of this information," he says.
4. The Wheel Has Been Invented
Too many organizations tend to reinvent the wheel when it comes to creating that risk register and in gathering relevant information for the assessment, George says.
"Use established risk registers. Organizations often try to establish their own from scratch," he says. "Instead, apply whenever feasible industry standards, such as ISO, NIST, and COBIT, and then fine-tune these best practices to organizational needs."
Similarly, don't manually collect and manipulate data if you can automate those processes instead, he suggests.
"Risk management staff should function as risk strategists rather than number crunchers," George says. "Organizations can leverage software that automates data collection, aggregation, workflow, and reporting."
Doing so can leave risk managers to focus on deeper analysis and engagement, he says.
5. Scope Can Kill You
There is such a thing as trying to assess too much, Laliberte says. In an effort to be thorough -- or perhaps to cover their backsides -- some risk managers get too granular with their approach and try to assess every risk to every asset and every threat to the business. The problem with this, he says, is that they get bogged down and never actually finish their assessments.
"Organizations should group assets that have similar business value and face similar threats, then assess the risk to them as a group," he says. "This makes for a more efficient assessment that has a greater chance of success."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.