By Des Nnochiri
Performing a security risk assessment has become an economic and functional necessity in the digital economy. Cyber-threats and many of the legal and operational aspects of data-handling now constitute as much of a challenge to enterprise success as effective marketing, and continuous service delivery.
A strong security posture, responsible data governance, and hitch-free network administration are just some of the essentials for business success in a digital marketplace. Each of these elements is continuously under threat from a number of different vectors, ranging from direct assault to technical failures, human error, and mismanagement.
Threats, vulnerabilities, and unknown factors, with the potential to adversely affect enterprise security and operations, make up the risk landscape which an organization must navigate its way through. One of the principle tools available for doing so is a comprehensive risk assessment.
In this article, we’ll be offering recommendations on how to conduct that risk assessment with an eye for the latest business trends and strategies in this area.
Start with the Fundamentals
Before proceeding, it’s essential to first understand what actually constitutes a risk and then to identify the security risks which are relevant to your enterprise.
Risks may be defined as those known and unknown factors that are capable of having an adverse effect on the workings of your organization. In general terms, these risks may stem from your physical work environment and personnel, conditions of the market or your industry sector, connections to the outside world (including communications channels, partnerships, and the internet), or external agencies and actors.
In terms of security, the National Institute of Standards and Technology (NIST) defines risk as “a function of the likelihood of a given threat-source exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.”
The “vulnerability” that this definition refers to might stem from an error or weakness in your organization’s security policy and procedures or their associated technologies and controls. Threats or risks must be identified and assessed in terms of their potential to disrupt operations, cause system damage, or produce security breaches by affecting or exploiting these avenues.
Taking an inventory of your data, personnel, and other aspects of your operation should be followed by a “crown jewel analysis” to identify the most highly valued or critical assets and the building up of models describing how data flows through and out of your organization. It’s then necessary to establish which of your assets may become vulnerable to various kinds of threats and the nature of the threats themselves.
As a guide in constructing the risk assessment, several frameworks are available. These include:
- NIST RMF: NIST’s Risk Management Framework
- FAIR: Factor Analysis of Information Risk
- TARA: Transference, Avoidance, Reduction, or Acceptance
- OCTAVE: Operationally Critical Threat, Asset, and Vulnerability Evaluation
Remember What’s at Stake
In making your risk assessment, it’s necessary to keep in mind the potential costs associated with each of the threats that your organization faces. These costs aren’t likely to be simply financial – they may also include the possibility of disruption to your network and business operations, negative effects on product or service delivery, damage to your business reputation or brand image, and even legal repercussions.
These costs will have varying effects on the enterprise, some being more tolerable than others. So a risk assessment should include what’s known as a “risk appetite statement”, setting out your organization’s levels of risk tolerance, and establishing a formal policy to describe the level of acceptance of each risk that’s identified.
Don’t forget to factor in the effects and demands of the law, industry standards, governmental controls, and regulatory compliance, as these may have a significant impact on determining security policy and establishing security controls.
Look Beyond the IT Department
It may be tempting to focus solely on the IT division of your enterprise – both as the source of the risks you face, and as the provider of solutions to mitigate their effects. But today’s economy requires a more global view and a more holistic approach to risk assessment and management.
Enterprises in the digital economy have a much wider reach than before, with infrastructure, data assets, equipment, and personnel distributed potentially across the globe and existing in an ecosystem that includes cloud resources, supply chain partnerships, internet, wireless and mobile connectivity, in addition to the more traditional landscape of the on-site data center.
In this environment, security has to become the responsibility and concern of everyone in the enterprise. This “enterprise-wide risk management” approach is now being widely practiced by many leading companies.
Assemble the Necessary Skills
With an increasingly sophisticated and continuously evolving threat landscape, risk assessment and risk management now require a more specialized skill-set – one that factors in not only the technical and procedural aspects of security management, but also maintains an awareness of the relevance and value of risk assessment to the actual workings of the business.
In practical terms, this may require the assembly of a dedicated risk assessment team, drawn from different lines of business and collectively representing those desired skills.
Get Management on Board
The involvement of top levels of management in the areas of risk assessment and risk handling is now more desirable than ever. Input is required from all levels of an organization if the key risk indicators of the business are to be identified and risk thresholds established that are acceptable to stakeholders across the board.
Act on the Assessment
Rather than being a passive process, a risk assessment must also include risk treatment plans, recommended methods of risk reduction or remediation, and plans of action that should be taken as a consequence of what’s been discovered. Having determined what’s necessary to reduce the risk of each threat, it’s also advisable to create a dedicated risk budget, allocating resources to each established line of action.
Depending on the size and nature of your organization, it may be necessary to assemble a working group or committee to oversee and review the risks, and organize the necessary implementations.
Document the Process
For purposes of internal communication and stakeholder buy-in, it’s essential to document and distribute the results of your risk assessment – especially if it contains guidelines and best practices that are intended to have a positive effect on the security practices and business operations of the enterprise.
Make Risk Assessment a Continuous Process
Finally, security risk assessment needs be an ongoing and continuous process, reflecting the changes in your working environment, the threat landscape, and the world at large. Information may be pulled in from a number of different sources (market reports, industry news, cyber-threat intelligence platforms, etc.), to assist in this.
Risk-related information also needs to be disseminated throughout your organization via security advisories, notifications, and periodic sessions of security awareness training.
In this way, it’s possible to foster and maintain an enterprise-wide culture in which security best practices, risk assessment, and risk management strategies become part of daily life.