**cue Jerry Seinfeld stand-up voice** “What is the DEAL with not wanting to do a risk assessment?”
Lately, myself and the Beryllium team have heard a lot of rumblings about risk assessments. Most frequently, statements like, “They are expensive”…“They are time consuming”…“It’s not a requirement”…“A risk assessment doesn’t provide much value”. I hear all of these comments and they make me cringe. Not only are they not accurate, but some of them are outright lies.
Maybe it’s just me, but when I am running an information system, I want a second set of eyes on it because I know that I am not infallible. But I am getting ahead of myself…
An information security risk assessment is a chance to get another opinion on the configuration of your systems. Usually, you are going to want the opinion of an expert, but I have seen folks who just want that basic “second set of eyes” in the event they miss something. Either way, a periodic risk assessment gives your organization, at the very least, a glance at how it is performing regarding information security known best-practices.
At its best, a risk assessment can provide expert insight into your organization’s information security posture with a combination of issues and guidance for remediation of known vulnerabilities and deprecated practice. That’s the one I like, because it does provide value for the organization. It would be like going to the golf course with a pro and having them analyze your game for 18-holes, and afterwards create a plan to improve your game dramatically. You don’t become a better golfer overnight, but the high-level plan to improve your game will happen by making the suggested corrections.
By every angle and view, this is a great tool for us to get better at doing security…as an organization!
Let’s answer some of those questions/kvetches as we need to.
“We don’t need a risk assessment” – As far as I know, this is fundamentally wrong if you have to comply with most modern information security standards. The state of your network may not change but the state of security and attacks changes constantly. Essentially, no work on your network means that it is degraded and eventually completely deprecated. That is why every Information Security Standard that I know of requires a risk assessment at least annually and upon any major configuration changes to the network.
“We can do a risk assessment ourselves” – While this is absolutely true for most information security standards, let’s dive a little deeper. Organizations are able to have a person from within perform an information security audit on systems and processes, but the audit needs to be performed by an independent assessor or 3rd party. What this means is that you must have someone who is not associated with operating or maintaining the network or information system perform the audit on the system. Why? Organizations have to do their best to avoid the “fox guarding the hen-house” scenario.
While most IT professionals are stalwart folks who work hard to keep the operation running, there are some shady Dennis Nedry from “Jurassic Park” individuals who, left unchecked, could wreak havoc on network operations…without realizing the impact on the organization. Or worse, instances of individuals who flat out have malicious intent.
Last but not least, as mentioned before, we are all human, and that means mistakes will happen. The risk assessment is a great opportunity to discover any of the discrepancies that may have occurred since the last time someone took a granular look at the effectiveness of security implementation within the organization.
“It’s not a requirement” and “it doesn’t provide much value” really comes down to who you are talking to. If you are looking for expertise, speed, and accuracy, the organization may have to pay a little more for the assessment. Generally speaking however, the benefit of a good information security risk assessment clearly outweighs the cost of just ignoring the organization’s security situation, and in most cases, it is one of the costs of compliance.
Beryllium InfoSec Collaborative is an information and cyber security firm that uses a holistic approach to an organization’s security objectives. Every organization is unique, thus their security needs are unique as well. We work to understand what organizational information/data needs to be protected, and develop solutions with positive outcomes based on those specifics. We don’t believe in the methodology of “this his how we do things, so this is how you have to do it” when it comes to your security. We believe that your business, employees and customers deserve the best protection.