The Risk Conversation
By Sean Atkinson, Chief Information Security Officer
Our normal day-to-day business activities often don’t involve a specific focus on information security and making good decisions based on risk and controls. The spectrum of risk management duties often falls through the hierarchy based on a top-down process. As this happens, the roles and responsibilities that make up risk management may slip through the cracks. It is here that we must identify the stakeholders of risk management as well as those within business processes who can make a big difference between a foiled attack or catastrophic security incident.
Risk and the organizational culture
A common mistake: risk elicitation (or risk gathering) and defining the underlying threats to an organization may only ever be discussed at senior levels within the organization. It may not be until a security assessment or penetration test discovers a vulnerability that a risk is uncovered. Wherever possible, a better solution is to implement a collaborative intake process to identify risks throughout all levels of the organization.
Question: Do you regularly poll internal stakeholders for their opinion about risk or use scenario-based discussions to identify risk?
This relates back to an earlier blog post about using the CIS Controls to discover gaps in security that could be articulated as risks. The process I defined is intended to start the conversation with those responsible to implement those controls technically, operationally, and/or physically.
Getting to the scenario response
As we analyze risk, the intake can take many forms, from simply asking:
- How is our network at risk?
- What is the biggest risk you see to the network?
- How would this particular risk occur?
- Can we stop a malware outbreak and what is our response time?
- If we were to download a malicious file, what is our mean time to detection, response, and eradication?
The aim here is to ask questions that require a scenario response, a deeper dive into an answer rather than just “yes” or “no.” In future posts, I will discuss fault tree review, which is a technique using a starting scenario and an engaged audience to lead to uncovering and discovering risks across business processes, technical functions, and operational controls.
The process of risk management can be intimidating at first, but by asking a few questions, you can begin to develop a baseline and understand the threats facing your organization.