I was prompted to write this quick post this morning when I read this article.
I think it is a good example of what some (actually many, in my experience) risk management programs may be lacking, which is a good quality of Risk Intelligence. In this particular case, I think the original article failed to emphasize that vulnerabilities by themselves may not mean much unless there is a good likelihood of them being exploited, resulting in real risk. We discussed some details regarding the quality of risk assessments in a previous post.
A good understanding of information risks and their prioritization needs to be the first and arguably the most important step in any information risk management program. Yet, we often see risk assessment initiatives not being done right or at the right quality. We think it is critical that a risk analysis or assessment is headed by someone or performed by a team that has or does the following:
- A very good understanding of your environment from people, process and technology perspectives
- A very good and up-to-date intelligence on the current threats out there (both internal and external) and is able to objectively define those threats
- Is able to clearly list and define the vulnerabilities in your environment. It will often require process or technology specialists to do a good job of defining the vulnerabilities
- Is able to make an unbiased and objective determination of the the likelihood that the vulnerabilities (from Step 3) can be exploited by one or more threats (from Step 2)
- A very good understanding of the impact to the business if each vulnerability were to be exploited by one or more threats. Impact is largely a function of the organization’s characteristics including various business and technical factors, so it is important that you involve your relevant business and technology Subject Matter Experts.
- Based on the likelihood (Step 4) and impacts (Step 5), estimate risks and then rank them by magnitude.
We just can’t stress the importance of steps 1-5 enough. We think it takes “Risk Intelligence” to do these steps well. Without good Risk Intelligence on your team, you may well be wasting precious time, money and resources on your risk assessments. More importantly, you may not be protecting your business to the extent that you should, with the same budget and resources.
The guidance and content we provide in our blogs including this one is based on our experience and understanding of best practices. Readers must always exercise due diligence and obtain professional advice before applying the guidance within their environments.