The "RISKY BUSINESS" Blog

Had a very interesting conversation with the CISO of a Global 100 the other day. He was very concerned that there were risks that they were not fully cognizant of and was understandably concerned that one of them was going to rear its head and put them in the headlines. So the initial portion of the conversation revolved around the idea of conducting a broader Risk Assessment to ensure that all key risks had been identified.

To ensure the approach was optimum, we delved into "all things security" and I was impressed at the overall level of maturity of the control environment. A Systems Development Lifecycle (SDLC) Methodology was in place and operational and included the integration of key security elements (e.g., Risk Assessment / Security Requirements /S ecurity certification) at the appropriate project phases. As the conversation evolved, we jointly realized that many of the "suspected" and most concerning risks (e.g., privileged user access to databases, source code control, ability to comply with eDiscovery requirements) were symptomatic of a failure of the security requirements definition phase to fully document the requirements relating to monitoring / logging / compliance measurement.

The result is rather than conducting a Risk Assessment, we are going to address the "suspected" risks in a more direct/focused manner while at the same time making the necessary changes at multiple points in the SDLC to ensure that the aforementioned issues are addressed. 

Risk Management is by its nature circular ... so the "real" issue may require that you look at it through the back of the mirror