Common mistakes in IT security risk assessments

ICS-risk-assessment2Dark Reading put together an article focused on common mistakes organizations make when running IT security risk assessments.  Included below was my response and the Dark Reading article is posted here.

  • Trying to do too much.  One of the most common mistakes is trying to go from nothing (haven’t done an assessment) to finished in one giant step.  Most times, the assessment will get bogged down and comes to a grinding halt because people are overwhelmed with trying to figure out the right process, who knows the answers to questions, and figuring out who is actually responsible for the various tasks and in charge.  I have this simple philosophy that I use all the time: crawl, before you walk, before you run.  Just accept that this is the first time and tackle a small subset of issues: focus, not surprisingly, on the obvious high priority items.  When you’re done with that, evaluate how it went and move on to the next set of issues.
  • Most companies underestimate their third party relationship responsibilities.  One area that many companies are not doing enough on is managing their relationships with third party vendors they use.   Often, once the lawyers have finally signed off on an agreement, both parties tend to have a very hands off approach with each other and forget the details of making sure things are staying on course.  You need to actively assess if those vendors are really meeting not the just the letter of the agreement (SLAs) but are they really meeting your actual needs?  You need to interact with them and actually assess if that’s happening or not.
  • Using proprietary/made-up auditing requirements.  The fact is, there is no need to start from scratch in doing a risk assessment.  There are plenty of well-known and accepted frameworks – such as PCI DSS, or ISO 27002 or HIPAA – that allow you to get past “How do we start?” and get you more focused on doing the actual assessments to figure out where you need to make changes.
  • Focusing on titles instead of knowledge.  When you’re doing a risk assessment you need people who can realistically and honestly answer blunt questions about how your business operates, what technologies are used and how, and who is responsible for certain actions.  Often times, the people who have those answers are not the people with the fancy titles.  You need to get people in the room that really know how things work.