DEFENSESTORM BLOG
Tuesday, August 23rd, 2022
Cyber risk assessments can be painful, and if you’ve ever been involved with one, you know just how painful it can be. Learn how you can reframe how you think about risk assessments and consider some fresh new approaches.
If you’ve ever been involved with cyber risk assessments, you know just how painful it can be. It ranks right up there with audit in terms of not being fun. For those of you who like hot peppers, it’s akin to the Ghost Pepper at the top of the Scoville scale. Once the assessment is done, you probably feel like filing it away and not looking at it until the following year, just to avoid triggering painful memories! Unfortunately, in the real-world new threats don’t conveniently occur on an annual schedule.
Without complete and continual application of your assessments, however, your institution can develop blind spots to new and emerging risks. But what if your risk assessments didn’t have to be so painful? Let’s look at your Information Security Risk Assessment as an example. Imagine a new reality where the risk assessment process is fully integrated into your cyber monitoring solution, providing a continuous opportunity to identify and measure risks. Sounds pretty good, right? Getting there is possible but does require us to first reframe how we think about cyber risk assessments and consider some new, fresh approaches:
Assessing risk should not be a one-and-done event you do every January and forget about until the new year. Risk is not static. Your cyber security risk assessment shouldn’t be either. Realistically, we identify and respond to new and emerging risks on a daily basis. As such, we should be adopting a continuous cycle of maintaining up to date risk and internal control registers. This continuous approach can be leaps and bounds more effective than the one-and-done approach that leaves you with a laundry list of remediation items once a year. By the time you get around to some of the items on that list, they may not even be relevant anymore which means you’re wasting precious resources based on an outdated assessment. The continuous approach provides proactive, timely insights into areas that need improvement. This lends to dynamic planning which allows for better budgeting, better resource allocation, and a continuously up-to-date roadmap for maturing your program and improving your security posture.
Enterprise Risk Management is a regulatory focal point for a reason. Viewing everything in silos is not effective. Maintaining up-to-date, integrated registers can break down silos and help you identify and manage interconnectedness and interdependencies across the organization. Consider this scenario: Information Technology, Information Security, Vendor Management, and Fraud all reference the same control in their respective risk assessments. A control can be used in multiple areas of the institution and for varying reasons, but it is ultimately the same control. Is it identified as such? Does that one control have one single profile that is leveraged by various departments, or is it being looked at like four different controls? Integrated registers across multiple risk assessments allow you to maintain one single profile for a control. That single internal control profile can then be assigned to multiple risks and be evidenced from multiple different systems. This enables accurate scoring of control effectiveness. That accurate score can then be considered consistently when assessing the quality of controls for different risks.
Putting your best foot forward never hurt anyone. When presenting your cyber risk assessments to audiences – whether it is the examiners or the Board – ensure the document highlights where you shine. Set the tone for the reader by highlighting mature, well designed, and effective control systems. Consider highlighting areas where significant improvement has occurred, and a tangible impact was made. A risk assessment does not have to be all gloom and doom – “look at all these scary things that could happen” – it can be a success story of how far you have come or a testament to the incredible design and implementation of controls.
And we’re not talking about the happy hour everyone attends to celebrate a completed risk assessment. You do all this work for something! That something is not just to check a box. This exercise has purpose and value. Take the results and mature your program. Make it stronger and even more impenetrable. Did you identify gaps in controls? Were you able to better communicate the need for additional investment in certain areas? That’s GREAT! You now have actionable insights into your program to arm you in conversations with executives or the Board around needing additional headcount or new technology. That’s a WIN!
Cyber Security Risk assessments are a critical component of the risk management cycle. Would you ignore a blind spot while driving? Or do you check multiple different angles to make sure you’re safe before change lanes? Conducting risk assessments are the same. Of course you want to know if there is an unidentified risk and be able to identify gaps in your program in real time! Ignorance is not bliss when it comes to risk management, so make sure you have the processes and tools that allow you to do so. When you start seeing your risk assessment as something that greatly benefits your organization – it can provide immeasurable value. Another plus – your examiners will notice your new approach towards the risk assessment process. It will positively influence the way they view your institution’s risk culture and ultimately that Management rating!
In a few weeks, I’ll share part 2 of this blog series. It will highlight what this new approach could look like as you think about your information security processes and solutions, as well as the outcomes and benefits you can expect. Feel free to contact us to discuss your specific situation and learn more about how we think about cyber risk.