5 Weaknesses of Traditional Security Risk Assessments
One of the biggest concerns in a traditional security risk assessment program is that it doesn’t take into account the big picture. By narrowly focusing only on assessment results,
organizations can miss understanding the full extent of their risk.
Below are five of the biggest weaknesses of traditional security risk assessments.
1. Not Integrated With Enterprise Risk Management Plans
Technology risks need to be managed along with other organization risks. Unfortunately, information security managers often conduct IT security risk assessments outside the scope of the company’s enterprise risk management program. This means their results never reach the executive leadership team and may not get the resources needed to mitigate these risks effectively.
2. Ignoring Paper Assets
Organizations often focus so much on electronic assets that they overlook risks with paper repositories. In the case of a bank, for example, paper files such as customer records or loan documents may never be considered as part of the security risk assessment. As a result, mitigating controls are never established to recognize when such paper records are lost, breached, or destroyed. This may result in a security breach without the company ever knowing it occurred.
3. Focusing on Controls Instead of Business Risk
Too often people think security risk assessments are measuring risk, but they are actually only reviewing the risk controls. Risk assessments often follow checklists which contain “boiler plate” criteria such as the use of firewalls. Without understanding your vulnerabilities, simply knowing the results of a security risk assessment is not enough. It’s essential to look first at how threats and vulnerabilities come together to produce risk.
4. Spending on Unnecessary Technology
Because security risk assessments focus on specific gaps in IT controls, many organizations are lured into spending on unnecessary technology to fix problems that could be best addressed with process changes. Organizations may assume that purchasing a new technology will provide the best mitigation for each risk.
However, each internal process should be optimized before attempting to purchase a technology tool to supplement it. For example, separating database development and operations roles creates a natural control requiring two people to subvert it. This process solution can be better than purchasing complex and expensive technology for monitoring database changes.
5. Stating Risks without Their Business Impact
Business leaders focus on growing shareholder value. When security risk assessments are presented without a fiscal impact, they may not be viewed seriously. This occurs because their business impact in monetary terms isn’t clear. The Federal Financial Institutions Examination Council (FFIEC) notes that risk “impact can be measured in terms of data integrity, confidentiality, and availability of information; costs associated with finding, fixing, repairing, and restoring a system; lost productivity; financial losses; and other issues affecting the institution’s operations, and reputation.” Failing to translate security risk assessment results into these terms ultimately hinders your ability to gain the resources to address them.
What are some other weaknesses you’ve address when implementing security risk assessments?
Photo credit:sonrisaelectrica
About the Author: Bradley J. Schaufenbuel, CISSP, CRISC, is Senior Vice President and Chief Information Security & Privacy Officer at Midwest Bank – Now Part of FirstMerit Bank, N.A. He is a regular speaker at industry conferences and has authored numerous books and professional journal articles on topics related to information security and I.T. risk management.
Want a first-hand view of the power of shared assessments?