“I would love to complete a security risk assessment,” said no one, ever. Many people would agree that performing and reviewing security risk assessments are not particularly enjoyable, especially for IT and security teams that are already overworked, understaffed and burned out. According to one survey, 45% of senior cybersecurity professionals are considering leaving the industry because of the high stress levels that accompany their positions.1
There are several seemingly obvious reasons why security risk assessments are usually dreaded by both the organization being assessed and the person conducting the assessment. Security risk assessments require considerable time and energy to complete and can often be catalysts for miscommunication and internal blame games.
Still, a risk assessment is an essential tool for painting a picture of an organization’s cybersecurity risk and ensuring that it has the right defenses in place. The good news is that there are ways to make risk assessments less burdensome. It is worth examining 3 of the most significant issues with risk assessments today and what can be done to resolve them.
Risk Assessments Are Cumbersome and Narrow
The majority of risk assessments take far too long to complete. If an assessment requires weeks or months, it is likely far lengthier than it needs to be. Unfortunately, such intensive risk assessments have ruined assessments for everyone else. Many enterprises avoid conducting them simply because they have heard horror stories about how much time other organizations have spent doing so.
Oftentimes the level of rigor of a risk assessment does not align with the organization’s risk tolerance. If an organization is comfortable with a certain level of risk, traditional risk assessments may not take that into account and instead force the organization through hoops that waste time, resources and money. But organizations that decide to manage the process themselves via labor-intensive manual spreadsheets put themselves at a disadvantage.
The risk assessment process can be streamlined by taking the time to identify an organization’s risk tolerance. In addition, using a risk assessment platform that can be automated, integrated and customized to the organization’s unique needs simplifies the process and results in a stronger assessment.
In addition to unnecessary length, many risk assessments are much too narrow. For instance, they might be too specific in terms of technical requirements or include questions that are not applicable to the organization or industry being assessed. Not only can this be frustrating for the person completing the assessment, but it also tends to add unnecessary complexity.
For example, consider a medium-sized organization that must answer a question about whether it has a firewall in place. The person handling the assessment (usually someone in a business-oriented role) will likely say yes. But if the next question asks whether a managed service provider is managing the firewall and, if so, how, the same businessperson is unlikely to know such details and may choose “yes” or “no” in a rush to finish the assessment. This results in a much less accurate assessment that is based on conjecture rather than facts.
The remedy? Context. A one-size-fits-all risk assessment will not work because no two enterprises are the same. The criteria evaluated for a small- or medium-sized business (SMB) are going to be different than what is evaluated at a very large enterprise. For example, schools require a different set of contextual clues than a state government does. To this end, it is critical that each organization works through a risk assessment based on its particular circumstances and industry sector.
An assessment may be filled with jargon that the average person—including whoever is reading the report and determining next steps—is unlikely to know.
Risk Assessments Present a Language Barrier
Another glaring problem with most risk assessments is that they are written in highly technical language. An assessment may be filled with jargon that the average person—including whoever is reading the report and determining next steps—is unlikely to know. The disconnect in language is extremely common and is notorious for resulting in security vulnerabilities.
Consider a risk assessment that is written in highly technical terms and presented in the boardroom. The chief executive officer (CEO), interpreting the assessment through the lenses of a profit and loss, hears the chief security officer (CSO) say she needs budget to invest in a variety of security measures that were identified as sources of risk in the assessment. But, since the information was presented in technical terms, the nuances of why these measures matter and how they would positively impact the enterprise are lost on the CEO. So, what happens next? The budget is likely to be denied and the organization is left without proper security protections in place, making it that much harder for the security or IT team to effectively protect the organization.
The remedy is proactive translation of the assessment. The risk assessment should be written by humans for humans, rather than in nuanced language that only employees in technical roles can understand. For example, a CEO may not be able to understand the technical terms that could impact their risk decisions about cybersecurity investments but can recognize the value of protecting their organization from a ransomware attack. If a risk assessment is meant to help an organization make smarter business decisions, the assessment must:
- Align with the organization’s mission, value and goals
- Use language reflective of the industry the organization operates within (e.g., a risk assessment for a hospital should use the nomenclature of the healthcare industry)
- Provide objective and actionable takeaways so it is clear what the next steps are for improving the organization’s security posture
- Continuously measure and track the organization’s security maturity
Risk Assessments Fail to Provide a Path Forward
Risk assessments have a poor reputation because they are often interpreted as a failure report. Of course, few people would be enthusiastic about receiving a list of technical problems that might not be their fault and, worse yet, that no one knows how to address. Unfortunately, this is how many risk assessments are constructed. They identify problems without providing a clear road map for implementing solutions.
The remedy is to include defined next steps in the assessment. A thorough risk assessment identifies security gaps, but it also describes specific actions that can be taken to fix them. For example, an organization may have an incomplete or inaccurate inventory of devices and Software-as-a-Service (SaaS) services, or it may lack detailed information about the value of such assets. The chief financial officer’s (CFO’s) computer might have access to more valuable data than a marketing coordinator’s machine. To remedy this, conducting a comprehensive risk assessment will provide business leaders with a go-forward plan addressing all areas of risk including people, processes and technology. This helps them make more effective decisions about how they manage risk and assign budget.
By conducting a detailed risk assessment that has taken into account these various business considerations, leaders are able to identify next steps for improving the security posture of the organization. The risk assessment should provide manageable, achievable and prioritized actions in a list ordered by most pressing to least pressing. This level of clarity and guidance is crucial in transforming a risk assessment from being merely an exercise to a tool that delivers true and lasting value.
There is no shame in agreeing that, historically, risk assessments have not been fun. But it does not have to be this way. By understanding the 3 fundamental flaws of most risk assessments today, one becomes empowered to fix them. The end result is better security that protects sensitive data and risk assessments that are much more pleasant.
Endnotes
1 Deep Instinct, Voice of SecOps 2022, 2 June 2022
Editor’s Note
Hear more about what the author has to say on this topic by listening to the “What Makes Risk Assessments So Unpleasant and How to Change That” episode of the ISACA® Podcast.
Ryan Cloutier, CISSP
Is president of SecurityStudio, an enterprise focused on helping underserved markets simplify cybersecurity. Cloutier is a passionate cybersecurity thought leader with more than 20 years of experience tightening organizations’ security postures.