Q. I just started as a new Chief Security Officer. I am constantly bombarded with questions on why the security department needs to conduct continual risk assessments. I have three main issues. First, how do I communicate the value of continual risk assessments to get management’s buy-in?
A: Great question. In many corporations, organizations and governmental entities there is often a pattern of behavior that if nothing goes wrong, or at least has not occurred for a long period of time, there really is no need for advances and improvements in security or identification of those respective risks. Obviously, this is not a good pattern to get into; the value of conducting continual risk assessments is critical because of the ever-changing environment that organizations encounter.
Every organization and its respective departments have varying risks. These risks influence how the organization achieves its objectives and goals, thereby affecting profitability and value of the organization. While many organizations may dedicate an enormous amount of time to identifying the risks that could impact business, it is also important to measure and prioritize risks so that the organization can respond to any given situation appropriately, efficiently, and effectively ensuring the least amount of operational loss.
A Comprehensive Security Risk, Threat and Vulnerability Assessment offers an organized and systematic approach to assessing risks of the organization and in doing so providing an informed decision-making baseline to determine a particular course of action. This "all-hazards" approach provides the analytical framework for risk management. A security risk assessment should identify key assets that need to be protected and how critical each asset is to maintaining the current business course. This requires looking at each asset with regard to human resources and infrastructure.
Q: Can you explain a little more what is meant by a Comprehensive Risk, Threat and Vulnerability Assessment?
A: So many times practitioners in our profession associate doing a security risk assessment with concentration in only one segment of the overall process. For example, security practitioners may focus on the electronic aspects of physical security instead of understanding the overall security program viewpoint that is part of a corporate risk strategy.
Comprehensive Risk, Threat and Vulnerability assessments involve not only physical, informational and operational security but also a business impact analysis coming from each business unit. This is important because it gives you and the organization a better picture on what risks are involved, the criticality of those risks involved, the prioritization of what needs to be protected, and how the business is affected not only financially but also from a security perspective. All aspects of risk and the relationship to security risk mitigation should be considered and a Unified Risk Oversight™ approach taken to determine and communicate all risks. Physical, Information and Operational Security should communicate with each other.
Q: Is conducting a risk assessment once a year enough?
A: In this day and age risks are always changing and dynamic. Therefore, it is necessary for organizations to re-evaluate and monitor on an ongoing basis those potential risks that affect them. Given the information age that we are in and the 24-hour news cycle, it is imperative that organizations track the rate at which risks change. For instance, some organizations utilize near real-time monitoring capabilities for varying conditions using big data mining, text analytics and data visualization techniques. These Intelligent Control Centers analyze and disseminate actionable information to decision makers in order to establish a comprehensive risk, threat and vulnerability assessment.
Answer provided by J. Kelly Stewart, Security Executive Council Emeritus Faculty.
Hmmm. I am not sure if we are using the right nomenclature. I could see managers being burned out by "continual risk assessments" as it implies constant work for them from the "continuous" point of view. What makes more sense is the Risk Management Framework's emphasis on "continuous monitoring". In this case, a significant risk management engine is working 24 x 7 through automation and etc but it is not invasive as this article implies. I truly believe in the need for an annual end-to-end risk assessment with quarterly updates combined with a solid continuous monitoring solution.
Posted by: Bill Ross | July 06, 2015 at 04:40 PM