Six Questions to Ask Yourself About Security Risk Assessments
Getting back to basics to align your security risk process with the rest of the business
Created by the Security Executive Council
Businesses are more in tune to risk than ever before - it has become a part of corporate culture. Corporate leaders have improved their understanding of the role risk assessments play; however, Security and the rest of the business are not always in agreement on the "why" and the "how". Therefore, Security's risk assessment activities may not be in line with the rest of the organization.
This paper is designed to help security executives evaluate their current risk assessment program. The SEC has found that while many security leaders are performing risk assessments, they are not being conducted at the enterprise level; instead they are assessing at the site or building level. Although there are practitioners that are advanced in the practice of risk assessments, our research shows that as more people are moving into corporate security leadership roles, many are not starting with the basics - like conducting an enterprise-level risk assessment related to security issues.
The SEC has found that conducting a risk assessment at the enterprise level is a first and essential step for successful programs. In a recent Security Barometer poll on risk assessment, security practitioners shared the steps they use to assess risk and how well they feel their organization is tackling significant security risks overall.
To evaluate where your risk assessment program is, begin by answering the following questions:
If you can't answer these, or if the answer is "no," it's time to examine what you are doing and how you can improve the risk assessment program for the betterment of your organization. Creating a common risk definition and language between security professionals, security executives and senior management is critical.
Risk Management DefinitionsFor security and business to be a truly unified discipline, there needs to be a shared language for defining risk and mitigation and articulating the success or failure points for any given initiative. The common language needs to be accessible and inclusive to all units within an organization, including executives, human resources, legal, finance and security.
There are plenty of definitions to be found for risk, threat and vulnerability. But an example is useful to clarify the terms.
For illustration purposes we chose an example that can impact several areas of risk: event security, which has become of importance in many companies based on recent incidents. This example highlights the complexity of risk.
It's important for security executives to establish and maintain an ongoing process of risk assessment to drive security and resource planning. Risk assessment statements ultimately should represent key risks to the organization and characterize a measurable, effective security program.
Six Critical QuestionsCan you answer these questions about your company's business/security risk alignment? Write down your answers in the boxes below. This can also be used to document progress.
If you gave the same six critical questions to each member of your security leadership team, would they come up with the same results?
The goal of this exercise is to provide a resource that solidifies and documents key success factors and provides assurance your program is working. It's also a way to determine if the plan and processes you have in place are significant enough to mitigate the risk.
There are other targeted questions that can be posed internally to conduct this exercise:
Failure PointsThe SEC has found the five most common failure factors for a security risk assessment:
Many times, there is too low a level of scope in the risk assessment, and potential risks are missed. Or, personal opinion was applied, and security executives only look at the process from their perspective and not from the perspectives of other business units within the organization. There are additional variables, such as outside contractors. If they don't have the right foundational knowledge of risk and the organization, there is no cumulative quality, only "currency".
Security executives need to regularly reassess their established risk assessment plan to determine if it is up to date. Do elements need to be added? Have you determined what has been effective and what has not? There may be a better, more targeted program than the one currently in place. In reality, this type of deep thought and analysis on risk assessment is not taking place at many organizations - but it should.
Next StepsWhat is your plan? Contact us at firstname.lastname@example.org if you want to discuss how to align your security risk process with the rest of the business.
For more information on this topic see Risk-Based Security: Risk Assessment
Watch our 3-minute video to learn about how the SEC works with security leaders. Contact us at: contact @secleader.com.
Copyright Security Executive Council. Last Updated: December 9, 2018
You can download a PDF of this resource below.