Why should you do a risk assessment in the first place?
When we are approached about cybersecurity and someone asks what the first steps should be, the response is always the same; start with a risk assessment. Everyone should have a cybersecurity budget to work with. In most cases, you would be working with a restricted budget, and you would have no idea where to spend that money. There are so many different attacks and prevention mechanisms to consider you may not know where to start.
If you need assurances on how to best protect yourself within the budget that you have, a risk assessment is required. A risk assessment will highlight the following:
- what the worst problems are;
- what the impact would be should those problems realised.
- what the likelihood of them happening would be;
- how much it would cost to fix; and
- how much effort and resources it would require to resolve the problems.
If you do not have the information, you cannot make decisions, and you would not know how to spend your budget. You must review your organisation as a whole.
What is the usual approach that people take when they want a risk assessment done?
The standard approach would be to look at the frameworks available like CS20 Controls, ISO 270001, or ISO 22301 for business continuity. Work through the frameworks pragmatically, step by step, and answer the questions that it asks. Also, be sure to apply the framework end-to-end.
What are the problems with this approach?
Most of the available frameworks are tied to accreditations or certificates, and they are worthwhile goals to pursue because they offer stakeholder confidence. There is a downside to it. From an accreditation point of view, the use of frameworks can be very subjective. You may have a well-documented business continuity plan which is tested every six months. However, just because you have a plan does not automatically mean that the tests are performed in-depth every six months. How thorough the test is, will also be open to the interpretation of the person ticking the box.
These standards are put forward so that the companies following them, are comparable in terms of their cybersecurity posture. But comparability is not always the end result. We have seen companies with ISO 27001 that have implemented it brilliantly and tailored it to their organisation. We have also seen companies with the same framework implemented, which have left us stumped in terms of how they have obtained it in the first place!
Apart from the issue with subjectivity, not all companies are the same. Think about the financial sector versus the health sector versus the rail industry. ISO27001 is not geared specifically towards the different sectors. These sectors can be further broken down into sub-sectors, and further to this, different companies do business differently – even one company within the same sector doing the same role.
We are trying to get a one-size-fits-all approach. The standards and frameworks are great for a generalised approach, but it does not mean that it will work perfectly for your organisation. Every organisations’ needs in terms of its business processes, functions, culture, and risk appetite differ, so we cannot apply the same standard to everybody.
What can we do to compensate for the differences between standards?
Be honest with the client, even at the risk of losing the client. Not every standard will work for every organisation. When we do a risk assessment, with the blessing of the client, we want to understand how the company works, how it does business, and how it makes money, which includes HR and Marketing functions. We look at the organisation operationally first. Once we have a good understanding of the business, we might interject and ask a few ‘what if’ questions. And we have found that the answers not only reveal what is done wrong but also what is done unnecessarily. Some businesses overcomplicate matters with procedures that are not needed. We may recommend implementing a more robust security system instead of following processes for the sake of it.
The easiest things to secure first would be the processes, policies, procedures, and operational tasks. Once the low-hanging fruit is identified we review the residual risks. And often, after reviewing the organisation from an operations standpoint, the residual risks have already been halved.
When a residual risk is extremely unlikely and low impact, we may decide to roll with it. If the risk is more significant, we will put controls in place and consider the best technologies to mitigate that risk. The reason for the risk assessment is to make sure that the right technologies are in place. The process should not merely be driven by a framework, for the sake of it. It is great to have the frameworks, as it gives stakeholders confidence. But it is really important, from a prioritisation point of view, to make sure that you have looked at risk in the context of the business. This enables you to prioritise which aspects of the risk assessment to follow through on.
What you really want to do is remove the threats that have the most impact, are the most likely to happen, and require the least amount of effort to fix. You will only know which risks to place at the top once you understand the business operationally. This is the main reason why Samurai does that process first. Sadly, risk assessments are missed in the industry by many.