Last Updated on April 28, 2021
The “Goldilocks and the Three Bears” Approach
I’m sure most people are familiar with the children’s tale of “Goldilocks and the Three Bears.” What does that have to do with security risk assessments? I’ve found that when it comes to assessing information security risk (e.g., as a preliminary step toward ISO 27001 certification), many organizations elevate comparatively minor security risks too high, and/or rank a significant security risk too low. Rarely do I encounter an organization that gets it “just right” after the first security risk assessment.
This isn’t surprising, as risk assessment is highly subjective, and one of the few ways to inject objectivity into the process is through direct experience. Frameworks, models and matrices also help support objectivity, but even these supports often just serve to “structure the subjectivity” so it’s less arbitrary. This is especially the case when security risk assessment falls mostly on the shoulders of one person, often the CSO or CISO.
Many times, security risk assessment is happening in the first place because a company may be filling a Chief Security Officer (CSO) or Chief Information Security Officer (CISO) role for the first time, or there’s a new person in the position who wants to shake things up. In these situations, it seems that with this new responsibility comes a drive to uncover every possible risk and give it heightened importance—it’s a little like a three-alarm fire.
Risk assessment by committee also creates subjectivity challenges. “Group-think” can develop in some organizations, making it hard for them to see significant security risks lurking right under their noses.
Wearing Multiple Hats and Other Challenges
For example, because I’m not only an InfoSec professional but also a lawyer, I frequently work with clients in the legal vertical. Recently I performed an internal audit for a large law practice with multiple offices. At one of their smaller workplaces, where only about 7-10 people were working, the suite was completely open. On the receptionist’s desk out front was a bell and a sign saying, basically, “Ring bell for service.”
The risk committee had rationalized this, saying, “This is a small office and everyone knows everyone. A stranger would be questioned by someone.” I flagged this as a nonconformity because it was an obvious and significant physical security issue that the client just wasn’t seeing. What if the “someone” you were depending on to enforce security was out at lunch, or in the bathroom? To cite just one of many attack scenarios, an interloper could opportunistically assess that situation, bolt in quickly, grab a laptop containing sensitive data off a desk—and there’s your breach.
Another challenge in any security risk assessment process is that the InfoSec media as well as the popular media tend to hyperbolize certain high-profile IT risks that many organizations aren’t likely to face. Most businesses won’t be targeted by nation state actors or hacktivists, for instance. But while they’re looking in that direction, plenty of them will fall victim to opportunists poised to steal and sell confidential data, exploit the processing power of their servers or extort money through ransomware.
A final challenge with risk assessment is that some significant security risks just aren’t on the radar. With the SolarWinds megahack in recent news, we are left to wonder why can’t our industry do a better job addressing the red-alert third party risks that certain vendors pose?
Well, it seems that as organizations outsource many or all parts of their IT and make heavy use of cloud services, their cybersecurity relies even more on those of their suppliers. Couple the number of challenges faced in managing cybersecurity with nation-state supply chain attacks and it can likely feel overwhelming to maintain the health and security of your business. So what can you do?
Consider strategies like operating your industrial infrastructure in a zero trust model that can help mitigate damage done, not just against the SolarWinds compromise, but against ransomware or other malware attacks. Consider how well you know your networks, and if you know what there is to protect. Think about security monitoring and protections in your OT environments. Consider emergency response playbooks for cyber incident response. Consider safety concerns if an attack impacts your operations, or your regulatory compliance.
Ultimately, these are all difficult questions with complex answers,
How do you predict and defend against a security risk like that? This is one of those areas where unbiased professional experience is helpful in identifying and assessing risk.
Learn more about security risk assessment:
- Balancing Objectivity and Subjectivity in Risk Assessment
- Has Your Business Correctly Assessed Its Information Security Risks?
- Rationalizing Risk Assessments—Objectivity Be Damned?
- The OWASP Risk Rating Methodology, which is designed to help estimate the actual risk associated with vulnerabilities
- Guidance from ISACA on performing a security risk assessment
- Intel’s threat agent risk assessment methodology, which “distills the immense number of possible information security attacks into a digest of only those exposures most likely to occur.”
Contact a Security Risk Assessment Expert
To get expert, objective guidance to support an informed risk assessment process so you can get it “just right” in a time- and cost-effective manner, contact Pivot Point Security.