Is The InfoSec Risk Assessor Alone?

Am I Alone?

Am I Alone?

Probably not. Whether it is a risk based cost benefit analysis, decision theory, or a formal / informal risk assessment – risk assessments are probably occurring somewhere in your organization.

One goal of I have for this blog is to make the subject matter relevant to information security folks regardless of the size of organization we may work for or the role we have within our profession. The reality is, that for those not employed by a large company or government entity that has a dedicated risk assessment group – it is too easy to assume that you do not have the time, the tools, or an advocate in place to even talk about information security let alone manage it.

So where to begin?

There are many entities or persons within an organization that perform some form a of risk assessment. The methodology, rigor, and subject matter might be different across all these groups –but decisions are being made based off risk.

Below is a list of groups or individuals that immediately stand out to me:

1.    Key business executives.
2.    Decision makers with fiscal responsibility.
3.    Internal auditors.
4.    External auditors.
5.    Enterprise risk management groups / individuals.
6.    Financial risk management groups / individuals.
7.    General council / legal entities.
8.    Capital risk management groups.
9.    You.
10.    Others that I am probably missing.

The following thoughts are probably more geared for those that are not in dedicated information risk assessment role and maybe do not work in an organization where there is strong information risk management governance – let alone a strong information security group.

1. A quick way to learn about what is important to your leadership from a risk perspective, is to ask them what concerns them when it comes to information and security. Try to get a 15 minute meeting and ask the question. Not only are you being proactive but you will learn more about your leadership and possibly your business as a whole. The risks that most information security think of first are probably not the same risks that come up first from non-security executives. Meeting with the business leaders and business decision makers is so critical and if done appropriately can pay off in dividends.

2. Do not let yourself get tunnel vision and only think that you are alone or that only your risk issues matter. Reach out to those peer groups that also deal with risk on some form and gain insight from them. The impact (monetary loss) of risk scenarios they may be most concerned about could help you better define your approach to looking for risk issues as well as better recommend security controls for mitigating risk.

Here is a link to a PDF I Googled upon that talks about enterprise risk management. It’s a good overview of ERM for the large organization but maybe too much to digest for the small organization, so keep on reading below.

Where Can I Begin?

For those that do not work in an organization with a formal information security risk management group, identifying and managing key information security risks may seem like a daunting task. After thinking about the sophistication of the program I work within, the steps below could be a starting point for you. BTW, this should be approached in the spirit of collaboration versus the spirit of security police. I still cringe every time one of my co-workers even jokes about getting an official security badge…

1. As you review project activities or other operational activities and come across security concerns – document them. Whether it is a small database or a spreadsheet, capture the date, the security concern (or risk issue), the reason it is a risk (impact to the organization), the team or person that can facilitate mitigation, a date for follow-up, and a unique identifier.

2. Before communicating the risk issue to the appropriate parties, take a few minutes to research risk issue in question for possible mitigation techniques and to ensure it is valid – even if you are not an expert in the space you identified the risk issue. This step warrants a separate posting, but there is nothing more frustrating then what I would call the “sea gull” risk assessor – someone who swoops in, makes a lot of noise about risks, poops all over the place, and then moves on without offering any mitigation help whatsoever. In some minds, this is the different between a risk assessor and risk consultant – again – separate post.

3. Communicate the risk issue to the person(s) who can facilitate mitigation. Maybe this is via email, telephone call, or an in person meeting. The goal of this meeting should be to communicate the risk issue and attempt to get a commitment to mitigate. Regardless, leave the conversation setting an expectation of a follow-up six or twelve months out. Make a few notes on your risk issues record about the conversation you had.

4. Schedule a reminder to follow-up on this risk issue 6-12 months out (as needed).

5. Repeat as needed. Maintain realistic expectations – especially if this is truly a new initiative for you. Not all risk issues will be mitigated nor will everyone be receptive of your efforts.

There is a saying I learned in the Marine Corps which goes like this: “It is better to be tried by 12 then carried by 6”. Though a different context, the underlying message is applicable to managing information security risks even in a simple five step model listed above: trying to do the right or necessary thing and defending it is better then having not done anything and not having an opportunity to explain why.


7 Responses to Is The InfoSec Risk Assessor Alone?

  1. Chris says:

    Good post. You aren’t alone, I can attest to your tactics here. Approach is everything through (“I’m here to help, here’s how”).

    I started a new job and tried to preach a risk management doctrine which got nowhere until an incident occurred. Which was tied to something that I had identified as a risk two months earlier. I quickly became the guy that was listened to. I was “lucky” to have the incident that caused their awakening.

    The results are good for me so far.

  2. Christian says:

    Really enjoyed this post. I liked the pragmatic approach you’ve used to describe these first steps for organising risk assessment capabilities. Even though I work within a dedicated risk team, I still found value in your comments.

    I especially like point 2 and can’t wait for you to elaborate on that issue. I’ve seen too many times that a lot of work gets done at the front of a risk assessment, but then effort tapers off to nothing. I think there’s a lot of merit in assisting with the process end to end, not only helping with identifying mitigants, but perhaps assisting in assuring that those mitigants have been effective as well.

    Great post!



  3. Chris Hayes says:

    Thanks for the comments Chris and Christian! I look forward to posting more and am glad that some of these posts are being read and pondered! Stay tuned!

  4. Good thoughts. I’m surprised that the ERM framework doesn’t do more around the practical issues of leaders making good decisions under risk and uncertainty (e.g. stochastic financial models that include good human measurement). I’m excited about helping folks do a better job with these sorts of risks – remember Nick Leeson of Barings Bank infamy?

  5. Chris Hayes says:

    @Scientificleader – To be honest I never knew who Nick Leeson was until you posted; nothing Wikipedia cannot help with ( It is funny you mention this because the shortcomings (failures) in the financial industry are making some information security folks skeptical of information security risk quantification ( As far as stochastic financial models and their applicability with making good decisions under risk and uncertainty – I have seen such models created for information security risk scenarios – but I have to admit – it was very complex and not practical for the scenarios they were created for – probably not practical for the derived risk value compared to the effort it took to create the model. Also, it seems to be unpractical for information security risk assessors to be able to create such risk models. Thanks for leaving a comment!

  6. @Chris Hayes.
    Yes, Chris, I generally agree that one does not undertake stochastic (Real Options) models on ones’ own. But the Enterprise Risk Management Movement appears to me to be an Audit professional attempt at quantifying, among other things, operational risk. Assessment of leadership risks (e.g. unethical leaders who cook the books; decision making acumen) can be measured and included in these as well; but these risk detection and mitigation methods are inherently interdisciplinary; information security professionals would do well to collaborate with finance and industrial psychology experts in this effort. Even if it is impractical to quantify the actual probability of risk or failure (e.g. Value at Risk or VaR), it seems incredibly pragmatic and consistent with the various Enterprise Risk Management frameworks to assess leadership, culture and other operational risks, such as the skill in avoiding the John Drapers AKA Captain Crunches of the world. Thanks for the fast reply

  7. […] public links >> infosec Is The InfoSec Risk Assessor Alone? Saved by mozu on Tue 28-10-2008 Mager Twitter Tour Saved by MuggleSam on Fri 24-10-2008 Fast, […]

%d bloggers like this: