The mere mention of a risk assessment can instill myriad responses from the targets of the request. Resistance, fear and the age-old, “We don't have the time or resources,” are the usual responses when departments are approached with this subject.
Who can blame them? It is like getting a letter from the IRS saying you are going to have your income tax returns audited. You know you didn't do anything wrong. Well, not on purpose. Everything is in order. You think. You did the best you could to follow their rules and regulations. Why you?
The same goes for risk assessments. The number of state and federal regulations change on what seems to be a monthly basis. They become more convoluted, complex and demanding all the time. States, companies, health care providers and businesses do their best to keep up and stay compliant, but it is an uphill battle. However, it is a battle that needs to be fought.
One of the keys to doing a successful risk assessment is to get buy-in from those departments that need to do the assessments. As security professionals, it is our job to help IT employees and business managers understand this process and the reasoning behind it. It is important that they realize that a risk assessment is not being done for punitive purposes, but rather, as a proactive process within the security framework of the enterprise.
Risk assessments can be outsourced to third parties, and a professionally written report will be returned with all the results and answers to all your questions. However, in the long run, this might not be an approach that will best meet the needs of your organization.
There are many benefits to doing an in-house risk assessment. Besides the obvious benefits of determining compliance with numerous state and federal regulations, application inventory, security controls and all the other requirements of whichever standard measure is being used (NIST, ISO, FIPS, etc.), there are numerous secondary benefits that cannot be achieved by a third-party assessment.
Foremost, there is a transfer of knowledge from the security professional to the business unit or IT staff regarding security awareness and best practice. People involved in the assessment project will be confronted with questions and, in working with a security professional, there will be a gradual propagation of knowledge that will help to change their perspective regarding information security.
The image of security being the “bad guy” may also find some resolution by doing an in-house risk assessment. Enterprise environments tend to be large and spread out and, subsequently, departments are isolated from each other. It is easy for a bad image to propogate in such an environment. Security is usually the department telling others that they cannot do what they want to do. Increased communication and collaboration between departments and security during a risk assessment may help to mitigate that stigma along with the risks. It is difficult to maintain a negative opinion once people work together and get to know each other as individuals.
So, there are times when doing something yourself really does have a greater ROI in the long run, even if it does involve a greater amount of upfront time and effort.
Kris Rowley is CISO of the state of Vermont. She is also on the governance board for the Norwich University Advanced Computing Center, teaches at a local community college and does information security presentations for community education.