Take Leadership ACTION When Undertaking an IT Risk Assessment

  • Posted On: 17th September 2014
  • By:
Take Leadership ACTION When Undertaking an IT Risk Assessment

IT risk assessment influence.

No matter how mature an organization is with managing security, it is almost guaranteed that some facet of security can be improved or overhauled at any given time. So where do you begin? This is why performing IT risk assessments is a critical component of any security program. Everyone agrees that having an objective third-party review the state of maturity of information security practices within an organization is beneficial. Of key importance though, is making sure all parties involved handle the assessment with an approach designed to lower risk.

An effective assessment should identify both the positive and negative aspects of your security program rather than only the negative issues. Some risk assessment vendors spend the majority of time trying to identify every unique vulnerability and process issue across every tier of the environment. While this provides a laundry list of things-to-do, it is equally important to assess the full security landscape against business needs and business risks so that a clear roadmap and strategy can be provided to improve. Without this approach, it is not possible to show where security processes and technology are excessive, just right or below par. To obtain the best value from your IT Risk Assessment, select a vendor who offers fixed-bid/fixed-deliverable engagements as it forces accountability to deliver the results you desire.

IT Risk Assessment Remediation

During the execution of an IT Risk Assessment, it is also important that the assessment approach (whether performed internally or externally) should be agile enough to shift to another area of focus once a certain threshold of findings have occurred. For instance, if the first question asked is “Do you have any security policies in place today?” and the response is “No,” then there is no reason to drill into every policy control best practice. In this situation, efforts should be shifted to other areas where more value can be deciphered to help the organization lower risk.

Assessing the state of IT Security is just one piece of the puzzle though. Remediation activities are where the true value of an IT Risk Assessment can be realized, but this is often where organizations fail to place the appropriate amount of effort. A remediation plan should be incorporated with any IT Risk Assessment project since there are almost always observations of weaknesses that should be addressed. Ideally, some form of remediation activities should be built into a vendor’s Statement of Work and an internal remediation project should be aligned to closely follow the assessment.

If a follow-on remediation project is prepared at the onset of the engagement, there will be reduced efforts and politics required to obtain support since the commitment will already be established. Preparing for remediation efforts in advance also shows an organization’s due diligence relating to security improvements. Think of it this way, would you want to have issues identified and documented, but NOT address them? What if a breach occurred and it was discovered that an IT Risk Assessment uncovered security weaknesses that could have prevented the breach if they were addressed…

IT Risk Assessment Leadership

Finally, it is important that information security professionals work to become more effective leaders throughout the remediation phase of work. Unfortunately, many information security professionals become too defensive when the findings are released rather than focusing on improving the situation. As soon as a security professional starts making excuses for security deficits because of lack of funding, limited support from technical groups or other political issues, they have become ineffective as a security leader. Every organization will face challenges with funding, resources and politics when it comes to driving security initiatives, so the focus should always be on continued improvement regardless of the current state of security.

Security professionals must swallow their pride and find ways to reduce risks even when funding is difficult to acquire. Driving process improvements, promoting security awareness, education and culture, developing security metrics reports, and becoming more persuasive in matrix-managed situations all go a very long way in improving security. As risk is communicated more effectively to the top levels of the organization, funding will follow.

Initiating an IT Risk Assessment provides definite value. Before you start, be sure to think ahead and execute the project in the right way. The IT Risk Assessment methodology leveraged is an important consideration, but remediation is even more critical. By treating a risk assessment as a full lifecycle project from discovery to remediation, you will improve security, lower risk, and increase your influence.

BP_access-governanceGet Your Free Top 10 Access Governance Best Practices Workbook

Learn the top 10 Access Governance Best Practices for successful implementations from experts. Sidestep the challenges that can derail GRC software and compliance management projects.

Request the Workbook

Written by Ryan Ward

Ryan Ward is CISO at Avatier, responsible for security initiatives as well as strategic direction of IAM and security products. A sixteen-year veteran of the security industry, Ward comes to Avatier after five years with MillerCoors where he served as Enterprise Security Manager of the brewing company and USA Information Security Officer for the public company SABMiller. In those positions Ward was responsible for all Information Security initiatives for MillerCoors. Prior to MillerCoors, he served as Senior Information Security Leader at Perot Systems while supporting the Wolters Kluwer account. He previously held the position of Vice President of Information Systems for Allscripts. Ryan is also a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP).