make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Ruminations on Risk Assessment

08/08/2014  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Practice Leader of Risk Services

Share

Social Logo Social Logo Social Logo Social Logo

I worked with a client that had asked us to help them develop a formal risk assessment process for their organization. This client has a very knowledgeable and capable security department, and they were ready to formalize a process for risk assessment and start rolling it out across the company. They were a little ashamed that it has taken them until now to create such a process, and as we talked through how the risk assessment process would work, they swallowed hard and indicated that it seemed to be a very daunting undertaking.

At that point, I asked them about some unique situations which I was aware had occurred in their organization over the past several months, and, of course, they came to realize that they’ve been doing risk assessments informally for quite some time.

Formal methodology or not, security professionals can’t help thinking about risks – it’s how we’re wired. The client then became less concerned about how difficult it would be to conduct a risk assessment and started making a list of the initiatives that would need to be evaluated once their process was ready to go.

Security is all about managing risks.

I was a CISO for many years for two different publicly traded companies, and during that time, I came to realize that my job was to advise and educate the senior executive team at my employers about the risks facing the business so that they could make well-informed decisions.

I often went into the boardroom with my risk summary and recommendation ready to go, and regardless of whether or not the C-levels chose to execute on my recommendation, if I felt like they understood the risks of the initiative, I was satisfied that I had done my job.

There are always factors and external business influences that security professionals may not be not aware of that an executive must also consider when making a risk decision.

Security leaders, do your risk homework.

Have a formal process for identifying and evaluating risks to your organization. As initiatives arise and the IT environment changes, assess the risks and seek ways to publicize those to your company executives. While you should always be prepared to provide a recommendation, be sensitive to the fact that the executives may not always choose your desired outcome.

If that happens, accept the decision and then take steps to manage the risk in the best way you can. Avoid saying no or running interference on every initiative (and don’t assess everything as a “High” risk) or you won’t be invited back to the table, and you’ll find out about important changes too late to influence their outcome.

Risks are an inevitable part of business. As security professionals, we owe it to our organizations to stay on top of them and guide the company to an outcome that is consistent with the company’s business objectives and risk tolerance.

Mark Burnette is a partner in the Information Security practice at LBMC, a premiere Tennessee-based professional services firm. Contact Mark at mburnette@lbmc.com or 615-309-2447.