Ingredients of a Winning Security Assessment and What It says about my Enterprise Risk Management (ERM) Approach

Modern businesses face a diverse set of risks and serious threats that can have adverse effects on its organizational assets and operations (i.e., missions, functions, image, or reputation), and individuals. In the past, business leaders viewed risk management as a balancing act between cost, schedule and performance. When well-executed, managers were rewarded for a job well done. But the risk landscape is constantly changing which demands that the evaluation and management of those risks adjust accordingly. Security is such an instance. With the rapid rise of asymmetric threats and constant attacks to computers and networks worldwide; Security must be added as a 4th pillar of the risk equation with equal emphasis to Cost, Schedule, Performance.

Managing risk is a complex, multifaceted activity that requires the involvement of the entire organization—from senior leaders/executives providing the strategic vision and top-level goals and objectives for the organization; to mid-level leaders planning, executing, and managing projects; to individuals on the front lines operating the information systems supporting the organization’s missions/business functions. In my view, a winning security assessment would start with a winning cyber risk assessment. Some ingredients for a winning security assessment would be composed of the following: 1) Risk Framing,  2) Risk Assessment 3) Risk Response 4) Risk Monitoring.

Effective risk management requires that organizations operate in highly complex, interconnected environments using state-of-the-art and legacy information systems—systems that organizations depend on to accomplish their missions and to conduct important business-related functions. Leaders must recognize that explicit, well-informed risk-based decisions are necessary in order to balance the benefits gained from the operation and use of these information systems with the risk of the same systems being vehicles through which purposeful attacks, environmental disruptions, or human errors cause mission or business failure.

In my view, Software Security Assessment is the process of testing software to find threats and determining the measures to put in place to defend against them. A security risk assessment identifies, assesses, and implements key security controls in applications. It also focuses on preventing software security defects and vulnerabilities. Carrying out a risk assessment allows an organization to view the application portfolio holistically—from an attacker’s perspective. It supports managers in making informed resource allocation, tooling, and security control implementation decisions. Thus, conducting an assessment is an integral part of an organization’s risk management process.

A successful security assessment should look to identify by framing, analyze by assessing, mitigating by responding; and prevent by monitoring.

Risk Framing

The first ingredient of a winning security assessment is to frame the risk or establish a security profile - that is, to describe the environment in which risk-based decisions are made.

The purpose of the risk framing component is to produce a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions. The risk frame establishes a foundation for managing risk and delineates the boundaries for risk-based decisions within organizations. For example, to determine all critical assets of the technology infrastructure. Next, diagnose sensitive data that is created, stored, or transmitted by these assets.

Risk Assessment

The second ingredient of a winning security assessment is to assess the context of the organizational frame.

The purpose of the risk assessment component is to identify: (i) threats to organizations (i.e., operations, assets, or individuals) or threats directed through organizations against other organizations or a state; (ii) vulnerabilities internal and external to organizations; (iii) the harm (i.e., consequences/impact) to organizations that may occur given the potential for threats exploiting vulnerabilities; and (iv) the likelihood that harm will occur. For example, to administer an approach to assess the identified security risks for critical assets. After careful evaluation and assessment, determine how to effectively and efficiently allocate time and resources towards risk mitigation. The assessment approach or methodology must analyze the correlation between assets, threats, vulnerabilities, and mitigating controls.

Risk Response

The third ingredient of a winning security assessment is to respond to risk once that risk is determined based on the results of risk assessments.  Incident response is often established as the “why” of security. In my opinion, without cybersecurity incidents, there would be no need to have a security team. The purpose of the risk response component is to provide a consistent, organization-wide, response to risk in accordance with the organizational risk frame by: (i) developing alternative courses of action for responding to risk; (ii) evaluating the alternative courses of action; (iii) determining appropriate courses of action consistent with organizational risk tolerance; and (iv) implementing risk responses based on selected courses of action. For example, to define a mitigation approach and enforce security controls for each risk.

Risk Monitoring

The fourth ingredient of a winning security assessment is to monitor risk over time. The purpose of the risk monitoring component is to: (i) verify that planned risk response measures are implemented and information security requirements derived from/traceable to organizational missions/business functions, federal legislation, directives, regulations, policies, and standards, and guidelines, are satisfied; (ii) determine the ongoing effectiveness of risk response measures following implementation; and (iii) identify risk-impacting changes to organizational information systems and the environments in which the systems operate. For example, to implement tools and processes to minimize threats and vulnerabilities from occurring in your firm’s resources.

Finally, ERM is a company's approach to managing risk. It is the practices, policies, and framework for how a company handles a variety of risks its business faces.

Enterprise Risk Management (ERM) is important because it helps prevent losses or unexpected negative outcomes. In my view, It’s important to understand that a winning security risk assessment isn’t a one-time security project. Rather, it’s a continuous activity that should be conducted at least once every other year. Continuous assessment provides an organization with a current and up-to-date snapshot of threats and risks to which it is exposed. As an organization makes, sells, and delivers goods to customers, it faces countless risks from numerous sources. To better plan for these risks, companies are turning to enterprise risk management, a company-wide, top-down approach of assessing risk and devising plans.