By the Security Executive Council
A comprehensive security risk assessment is one critical step in ensuring your organization is prepared for any contingency. We've discussed what not to do in the risk assessment process
. But what about what to do
Recently several of our subject matter experts collaborated to develop the following list of security risk assessment success factors, based on their experience and our collective knowledge:
- A global to specific issue focus. Make sure to include the big picture as well as the local concerns.
- Incorporates leading global findings. Base the big picture on data from known and proven sources, such as the World Economic Forum.
- Incorporates Enterprise Risk Assessment (ERA). Look at the big picture organizationally as well. Risk assessment isn't about one department or function. If the organization has conducted an ERA, incorporate its findings into your process.
- Mitigation strategies aligned to enterprise risks, not just site or department risks. The entire security risk assessment process should be conducted with the overall enterprise in mind.
- Risk owner involved, understands, and will fund mitigation strategy and accept residual risk. The leaders of the organization own the risk. Are they on board and committed to support the strategy, and do they understand that risk mitigation is not 100% assurance that an event will not occur?
- Security incorporates risk owners' risk appetite. Risk owners determine which risks must be mitigated and which can be accepted.
- Multiple processes used to assess risk and issues. Different risks may require different approaches.
- Ongoing process. Monitor for new risks and add them to the process as they develop.
- Monitor for new mitigation strategies. Don't hamstring your response by relying on the same old technologies or techniques.
- Consider quantifying risks, mitigation effectiveness, residual risks. Metrics help security inform and engage with the business. You can use the data you collect from meaningful metrics to partner with organizational leaders on risk management.
The overarching theme of these success factors: Don't look at risk - or the security risk assessment process - myopically. Always look past the simplest answer to see what risks, what options, what strategies may lie beyond it.
There are a lot of people that do "checklist" risk assessments. What sets the SEC apart from others is our focus on generating value for the organization beyond what is achieved with the typical checklist mentality. We have the experience and skills necessary to help security practitioners strategize, align and conduct their risk assessments to capture the value others miss. Contact Us
to discuss how we may be able to assist you.
You can download a PDF of this page below: