This write-up is a follow-on to the blog post about what business and cyber professionals need to do to establish an organization's risk profile. If you have not read it, I encourage you to do so, as the information serves as a foundation for today's discussion on risk assessments. 

Now back to our regularly scheduled activities! 

Usually, performing cyber risk assessments is where the rubber meets the road. Many cyber professionals see this single body of work as one of the main objectives of their job. What's more, an entire industry has been developed around assessing cybersecurity risk, and this industry will only grow! 

Today, we will beat the horse some more only because we have to! After all, risk assessments are pretty significant, seeing that they provide business stakeholders with a detailed view of their ongoing cyber risk posture. Moreover, a risk assessment can determine how much an organization is likely to invest in its cyber program. It is also foundational to the follow-on steps in the risk management lifecycle. With so much riding on this activity, we must get it right and deliver value in the best way possible! 

What is a Cyber Risk Assessment? 

If you have been reading my blogs for any time, you know I like definitions. Let's cut through the noise and review the formal definition of cybersecurity risk assessment: 

Cyber Security Assessment: The process of identifying risks to organizational operations (including mission, functions, image, reputation, organizational assets, individuals, other organizations) and the nation resulting from the operation of an information system. 

Yes, the scope of the assessment should be that broad. As a rule, many major corporations are developing systems, products, and services tightly coupled with their nation's critical infrastructure. 

Remember: Cyberspace is the future battlefield of tomorrow! Don't forget! 

Is a risk assessment the same as a vulnerability assessment? 

No way, but this is a perfect interview question! It will catch some people off guard as many professionals view the two as synonymous. Of course, a vulnerability assessment is a vital component of assessing risk; however, using the result of a vulnerability assessment alone is not inclusive of all dangers an organization faces. 

A vulnerability assessment allows us to identify known vulnerabilities in a system, whereas a risk assessment looks at how system vulnerabilities and other threat vectors expose the organization to destabilization. 

What should we do? 

After discovering the organization's risk profile, we should analyze how a successful attack would impact the Confidentiality, Integrity, and Availability of services and data. We would then rack and stack the criticality of system risk based on their disadvantages to business operations. 

For example, a company might have an air-gapped laptop that runs Windows 97 and hasn't been patched in a decade. The computer is up cruds creek without a paddle from a security perspective! However, the company believes that this one system poses more risk to operations than security. They keep it around despite the operating system being at end of life and have air-gapped it to mitigate the threat posed to the organization's cyber risk posture.

This example illustrates how a company might identify and manage its cyber risk. The illustration also shows that vulnerability assessments are sometimes of no use. Many organizations leverage antiquated systems to deliver their products and services. Sometimes because of cost and other times because there exists no viable solution to replace what they currently have. This is why it is vital to truly understand the risk that compromising a system or the information it manages poses to the organization's business activities. Without this understanding, we tend to over-engineer security solutions, limiting our value add! 

Tragic! 

The business comes First! 

I have to reiterate that as security professionals, we should work to be business enablers. Avoid the propensity to become scan-i-am or the risk rainmaker. When you communicate issues to your business partners, try to frame them in ways that they can understand. Also, look to communicate the problem in relation to things that they care about. If we fail to do these things, we will continue to be viewed as the function of no, and nobody likes a negative nerd! 

Moreover, when performing the risk assessment, attempt to identify and validate each risk by aligning it to your business's business impact analysis. If your organization has not profiled its risk, encourage them to do so! Be sure to let them know that you will not be able to effectively categorize the information security risk to the business without it! Tell them that the business comes First! This one statement will win you some friends in high places and provide your company with a solid foundation for its security architecture.

A note on traceability! 

Traceability is essential in all aspects of work intended to establish and maintain control. Without traceability, we will find it challenging to communicate our position regarding identified risk. We will often face a series of why's when providing our business partners with cyber solutions. And they are right; the why is always the most critical question. Do the work and make your suggestions traceable to the organization's needs and industry-approved frameworks and methods. 

You will thank me later! 



Conclusion: 

There is a right and wrong way to perform a risk assessment. The right way requires aligning vulnerabilities and threat vectors to organizational needs. The wrong way is getting mired in the technical details such as present vulnerabilities produced by scan-i-am. The technical details are essential, but enabling the business to capture its objectives is more important. You will be a rockstar if you can trace your risk and solutions to these objectives! 

What are your thoughts on performing risk assessments? Has your organization taken responsibility for defining its business risk and communicating it to your cyber organization? I'd like to hear your thoughts on the topic. 

Until next time, let's work to develop cyber solutions that keep business First!