Probably not. Whether it is a risk based cost benefit analysis, decision theory, or a formal / informal risk assessment – risk assessments are probably occurring somewhere in your organization.
One goal of I have for this blog is to make the subject matter relevant to information security folks regardless of the size of organization we may work for or the role we have within our profession. The reality is, that for those not employed by a large company or government entity that has a dedicated risk assessment group – it is too easy to assume that you do not have the time, the tools, or an advocate in place to even talk about information security let alone manage it.
So where to begin?
There are many entities or persons within an organization that perform some form a of risk assessment. The methodology, rigor, and subject matter might be different across all these groups –but decisions are being made based off risk.
Below is a list of groups or individuals that immediately stand out to me:
1. Key business executives.
2. Decision makers with fiscal responsibility.
3. Internal auditors.
4. External auditors.
5. Enterprise risk management groups / individuals.
6. Financial risk management groups / individuals.
7. General council / legal entities.
8. Capital risk management groups.
10. Others that I am probably missing.
The following thoughts are probably more geared for those that are not in dedicated information risk assessment role and maybe do not work in an organization where there is strong information risk management governance – let alone a strong information security group.
1. A quick way to learn about what is important to your leadership from a risk perspective, is to ask them what concerns them when it comes to information and security. Try to get a 15 minute meeting and ask the question. Not only are you being proactive but you will learn more about your leadership and possibly your business as a whole. The risks that most information security think of first are probably not the same risks that come up first from non-security executives. Meeting with the business leaders and business decision makers is so critical and if done appropriately can pay off in dividends.
2. Do not let yourself get tunnel vision and only think that you are alone or that only your risk issues matter. Reach out to those peer groups that also deal with risk on some form and gain insight from them. The impact (monetary loss) of risk scenarios they may be most concerned about could help you better define your approach to looking for risk issues as well as better recommend security controls for mitigating risk.
Here is a link to a PDF I Googled upon that talks about enterprise risk management. It’s a good overview of ERM for the large organization but maybe too much to digest for the small organization, so keep on reading below.
Where Can I Begin?
For those that do not work in an organization with a formal information security risk management group, identifying and managing key information security risks may seem like a daunting task. After thinking about the sophistication of the program I work within, the steps below could be a starting point for you. BTW, this should be approached in the spirit of collaboration versus the spirit of security police. I still cringe every time one of my co-workers even jokes about getting an official security badge…
1. As you review project activities or other operational activities and come across security concerns – document them. Whether it is a small database or a spreadsheet, capture the date, the security concern (or risk issue), the reason it is a risk (impact to the organization), the team or person that can facilitate mitigation, a date for follow-up, and a unique identifier.
2. Before communicating the risk issue to the appropriate parties, take a few minutes to research risk issue in question for possible mitigation techniques and to ensure it is valid – even if you are not an expert in the space you identified the risk issue. This step warrants a separate posting, but there is nothing more frustrating then what I would call the “sea gull” risk assessor – someone who swoops in, makes a lot of noise about risks, poops all over the place, and then moves on without offering any mitigation help whatsoever. In some minds, this is the different between a risk assessor and risk consultant – again – separate post.
3. Communicate the risk issue to the person(s) who can facilitate mitigation. Maybe this is via email, telephone call, or an in person meeting. The goal of this meeting should be to communicate the risk issue and attempt to get a commitment to mitigate. Regardless, leave the conversation setting an expectation of a follow-up six or twelve months out. Make a few notes on your risk issues record about the conversation you had.
4. Schedule a reminder to follow-up on this risk issue 6-12 months out (as needed).
5. Repeat as needed. Maintain realistic expectations – especially if this is truly a new initiative for you. Not all risk issues will be mitigated nor will everyone be receptive of your efforts.
There is a saying I learned in the Marine Corps which goes like this: “It is better to be tried by 12 then carried by 6″. Though a different context, the underlying message is applicable to managing information security risks even in a simple five step model listed above: trying to do the right or necessary thing and defending it is better then having not done anything and not having an opportunity to explain why.