Two of the potentially challenging things about doing information and cyber security risk assessments are being able to easily leverage any existing risk assessments done by other areas of the organization and being able to integrate the risk assessments we do with the existing risk ratings already being compiled and aggregated by the ERM team—assuming you have one.
Basically, there’s often two camps of “risk” children. The “good little boys and girls” who follow the ERM guidance and directives to brush their teeth before they go to bed, look both ways before crossing the street…
…and do their functional or departmental risk assessments every year, whether they need them or not.
And then, there’s us, the delinquent, unruly hell-raisers in cybersecurity who think they actually run the business, and everyone exists for the simple purpose of following the security policies.
At least, that’s what the non-security people often think—especially when it comes to dealing with our risk assessments. Quite often, they literally don’t know what to do with us. We come to them with our mountains of risk assessments (which are often completely divorced from those in-line, DevSecOps threat modeling exercises), and we’re talking about risk levels due to cybersecurity like we’re Sammy Hagar singing “9 on a 10 scale.”
But…they aren’t. In fact, in the context of the overall organizational risk appetite (which we’ve often blissfully ignored), the overall net impact to the organization of the problem we’re talking about would be like sitting on a stray piece of popcorn as we take our seat in the cinema sometime, hopefully in the near future, to catch the new Matt Reeves take on the Dark Knight of Gotham City.
That’s right. Unless it was hot, sticky and covered in gooey caramel…
…we probably wouldn’t even notice it.
It helps if we’re using SABSA, and it helps even more if we realize that there’s potentially 4 types of risk assessments we can perform across the Strategy & Planning, Design and Manage & Measure phases of the lifecycle that help us place the risks we do analyze squarely within the context of what the organization is trying to accomplish.
However, there’s still often of the tiny problem of discovering and integrating with the organization’s defined risk appetite…
…and then there’s the issue of figuring out how to aggregate (or decompose) those high-level enterprise consequence scales into the RAG reporting defined one we establish our Primary and Secondary KRI performance targets for each attribute in our super-secksy Attribute Profile.
Oh, and then there’s the issue we have faced nearly every day by Chief Engineer Montgomery Scott when he says, “We’re given ‘er all she’s got, Captain.”
And Captain Kirk has the audacity to respond, “Well, Mr. Scott, I need more. How much more can you give me since we’re already in the red?”
How do we know how much beyond that Primary KRI we can actually take before we go out of business…or someone loses their job?
All of these are questions we’re going to need to answer if we’re going to be able to seamlessly and effortlessly – once-and-for-all – integrate our SABSA-based risk assessment and operational monitoring objectives with the organizational risk appetite, consequence scales and ERM risk management guidelines and their oh, so precious…
…and oh, so colorful…
Enterprise Risk Matrix.
Have you ever found yourself asking those questions?
Do you have those answers today?
Are you likely to have them tomorrow…or next week…or even next year?
Well, what I can tell you is that the people who are already subscribed to Archistry’s print Security Sanity™ newsletter before the May issue goes to the printer sometime tomorrow after the harder-than-granite deadline in exactly 11 hours and 4 minutes from when I write this very sentence…
…will only need to turn their very own crisp, white – and full color – copy to page 7, where the discussion on how to do exactly that begins. And, in the pages before that, they’ll have a deep understanding of the business view of risk, key terminology critical to the success of your cybersecurity risk assessments (even if you call them “Threat Modeling” and do them as part of your Dev[Sec]Ops delivery iterations).
And there’s even a handy sample of how to turn the typical ERM risk management guidance into an actionable, measurable enterprise Attribute Profile, fully dressed in all the white-tie-and-tails goodness of the SABSA Performance Management Framework.
Not to mention detailed discussions of each of the 4 types of risk assessments I mentioned above and what you’re supposed to end up with after each one.
But maybe this isn’t anything that interests you, or maybe it isn’t anything you need because “risk assessments” aren’t part of your job description, and the head of your security program has no interest whatsoever of integrating business strategy with security strategy and the operational prioritization and assessment of those tidal waves of daily threat and vulnerability reports.
Or, maybe you’ve already got it all figured out. I mean, it isn’t that hard. But you do have to think about it…a lot, in some cases, to make sure everything fits together into a complete and comprehensive system for integrating real, business-driven risk assessments into your security program.
Either way, the time is now to make the decision of whether you’re in our out of the club who’ll be devouring this print edition in just a few short days, barring no delivery hiccups (because, yes, I did figure out a pandemic-proof physical logistics solution since last month).
If you want to be in, but you’re not already, then here’s the link to make sure it ships to you too:
If you’re not already in and you’re not gonna be, then that’s totally cool with me too. At least you’ve made the decision.
If you’re on the fence…tick, tock.
Andrew S. Townley
Archistry Chief Executive