Ryan Ward is CISO at Avatier. In this interview, he talks about the overlooked benefits of risk assessment, offers best practices for performing successful risk assessments, outlines the pre-requisites for becoming a risk assessment professional, and more.
What are some of the often overlooked risk assessment benefits?
Even though most organizations have a primary goal of mapping out their key risks for strategic purposes, I almost always find that an equal amount of benefit comes from the education of employees that occurs throughout the assessment process. By simply asking questions and engaging multiple groups to think about their risks, people begin to have a better understanding of their own business unit’s processes as well as the interrelationships between other business units’ processes. As business knowledge increases throughout the workforce, so do operational efficiencies.
Also, risk assessments ultimately drive key business personnel to think in terms of business risk rather than just their silo of responsibility. As they learn this method of thinking about risk, it translates into all of their business decisions. Of course, this benefits the entire organization.
Can you share some best practices for performing successful risk assessments?
First of all, it is critical that risk assessments are not performed in a box. Involvement is required from a large and diverse group throughout the enterprise to ensure accurate information is obtained. Many times, inaccurate assumptions are made because the assessors fail to reach out to the true owner or person accountable for a specific area. Making assumptions about processes or technologies without evidence could miss critical risk points.
Regarding best practices, there is no reason to reinvent the wheel since there are some established frameworks around risk management that can be leveraged. ISACA’s Risk IT Framework, Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE), NIST’s Risk Management Framework (RMF) and several others exist to help with the process. However, sometimes these methodologies can be too rigid and cumbersome.
For a one-time assessment designed to get the ball rolling on reducing risk, I believe there are some critical areas of focus that should be targeted:
- Technical Vulnerabilities – An external and internal vulnerability scan, WiFi audit and Internet services audit should be performed across the entire environment to see if there are glaring vulnerabilities that need to be resolved.
- Active Directory/LDAP/Directory assessment – The core directory should be evaluated to determine if there are account and group issues or active accounts of terminated workers.
- Process review – A gap analysis against established security management best practices should be performed.
The best risk assessments are performed with an agile approach with the ultimate goal of focusing on discovering the risk points that affect your organization. As information is uncovered throughout the assessment, there will be many opportunities to drill in deeper. Apply additional focus only to the areas that truly impact the organization. There is no reason to waste resource time on specific details that will not lower risk.
What issues risk assessment can’t address properly but IT pros think it does?
One of the biggest mistakes an organization can make is allocating resources to perform an assessment without allocating resources for remediation. An assessment provides useful information that will show where improvements can be made, but the assessment itself does not solve the problems. If you are proceeding with the risk assessment, understand that your risk profile will remain the same unless you also budget for remediation activities.
Some IT professionals still believe IT risk is primarily about security technology, and these people tend to expect overly technical findings. With this mindset, they believe an assessment is designed to identify specific technology solutions that will solve all the problems. Unfortunately, many risk-related observations are process-related and require strong leadership to resolve. While a technician can implement a configuration change to reduce risk, it takes a focused leader to drive organizational process change.
What’s the secret in making sure the results of a risk assessment are properly interpreted and subsequently implemented?
Consistency is definitely the key here. Whether the focus of a specific risk item is qualitative or quantitative, all risk points need to be evaluated with the same approach. Your organization’s determination of impact and likelihood ratings should be applied the same to ensure various risk areas can be compared equally. If this does not occur, remediation priorities can be skewed. Leveraging a third-party to perform/manage an assessment is a good way to maintain objectivity, and a third-party also serves as a mediator who can assist with the interpretation of results.
Utilizing technology to both drive an assessment and report on assessment findings is also very helpful. Technology will help enforce the execution of the assessment interview process and ensure the presentation of risk is consistent throughout.
What are the pre-requisites for becoming a risk assessment professional?
Real-world information security and risk-based EXPERIENCE.
The most efficient risk assessment professionals possess several years of information security leadership experience. They understand information technology as a whole, and they can speak intelligently with any IT department to uncover facts that point to risk-related concerns. Leadership experience is important because there can be contentious situations when certain IT groups are defensive about their area of responsibility. A risk assessment professional must be able to stay cool, maintain objectivity and decipher guarded answers to reveal the true risk to the organization.
If you are hiring a consulting firm to assist with your risk assessment, it is critical that you evaluate talent that will be used throughout the engagement. Long-term consultants tend to have a narrower view of risk because they have not lived in a corporate environment with the responsibility of truly lowering risk across all aspects of information security. Recent college graduates or professionals who have simply taken some security courses are also ineffective. What is needed is someone who has a broad view of technology and risk and can adapt questions throughout an engagement to obtain the most value for your organization.