Risk is a measure of likelihood of an incident and its impact on business. Everything a CISO does must be targeted towards reducing overall risk for the organization and be driven by periodic and formal risk assessments. If you have not done a formal risk assessment of your organization yet, you may be trying to solve problems that don’t exist or have very low return on security investment OR overlooking things that really matter. Risk assessment will help picking in right type of projects in the following areas:
- Threat Prevention – Firewalls, access controls, network segmentation, IPS, Security Policy, Awareness Program
- Threat Detection – Log analysis, detection, alerting and monitoring
- Incident Management – Incident response, forensics
A formal risk analysis will help in discovering gaps and in picking the right projects and security controls. It will provide a basis for information security operations. It will also be helpful for executives in your organization to understand why you do what you do. Risk analysis needs to be at the center of any information security program.
Action Items
To make risk analysis as part of your information security program, take following actions.
- Determine if you need to a qualitative or quantitative risk analysis. In most cases, qualitative risk analysis should be good enough.
- Select a risk assessment methodology that is suitable for your organization. Multiple methodologies exist and are being used in industry.
- Set a formal risk assessment frequency, that could be once or twice a year, and make it part of corporate policy.
- Use results of risk assessment as business justification for security projects.
- Make risk assessment as part of project delivery lifecycle in your organization (e.g. security certification program).
You may not be able to do all of take all of these actions immediately. If that is the case, use an incremental approach and make them part of your roadmap.
