A show of hands: how many of you reading this have done a risk assessment, but felt that after it was completed it was never going to be used for much? I have done many and the results often fall on deaf ears. I have tried a variety of methods, used various tools, and done pretty much everything but stand on my head to get the results noticed. Then I realized what was missing: relevance.
I figured this out when I took a class on Operational Risk (see the excellent book written by Tony Blunden and John Thirlwell). I learned a method of assessing risk that provided context into the risk, possible controls, and costs, all within a quick turnaround time.
The method can be done in person with the stakeholders so they too can have the ‘ah ha’ moment and understand why the risk is important and what it will take to fix it. The process can be done to address as many risks as are in scope for your assessment, and an actionable plan can be easily created from the results for tracking and remediation.
Choose Your FrameworkThe process starts with a simple scenario based on your choice of framework. As you work through it, you will notice that it closely resembles threat modeling (which it does). However, threat modeling always used to be a challenge for me in that coming up with the risks out of the blue is sometimes difficult. With this model, you can pick a known framework or top-10 list and choose a risk that is very applicable.
To illustrate, let’s run through a quick example. Using Gartner’s Top 10 Security Predictions, randomly pick three numbers. I pick 2, 7 and 10. When applied to the Top 10 list, these turn out to be:
By 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.
By 2019, 40% of Identify as a Service (IDaaS) implementations will replace on-premises Identity and Access Management (IAM) implementations, up from 10% today.
By 2020, more than 25% of identified enterprise attacks will involve Internet of Things (IoT), though IoT will account for only 10% of IT security budgets.
A scenario derived from these three risks may be: The shadow IT organization has set up IoT devices to authenticate through the company’s IDaaS without a plan to patch the devices.
Applying Controls to RiskOnce you have agreed that this is a risk, you can start applying controls to the risk to see how much or how little the risk is reduced to an acceptable level.
The final key to any assessment is to ensure that your message is packaged appropriately. This doesn’t mean to dumb it down, but it means to present it in a clear fashion with facts to sell your story. Busy slides or slides that aren’t easy to follow alienate the audience to the point where you won’t be able to get traction on remediating the risks.
The lesson in my risk assessment journey is truly this: if you cannot make others relate to the risks you are showing them, they will be ignored. The good news is this is not an impossible task and with some practice can be implemented quite easily and effectively.
(About the author: Kristy Westphal is a senior manager, security tools, at Charles Schwab and a member of the ISACA. This post originally appeared on her ISACA blog, which can be viewed here )
