Thinking Clearly About Risk Assessments
Adapted from Guide for Conducting Risk Assessments (NIST Special Publication 800-30, Revision 1). September 2012.

Thinking Clearly About Risk Assessments

(This article was originally posted on June 10, 2024, on my Enabling Board Cyber Oversight™ blog series as Thinking Clearly About Risk Assessments)


If I had an hour to solve a problem and my life depended on the solution, I would spend the first 55 minutes determining the proper question to ask.

– Albert Einstein

Introduction

There are few Einsteins out there who can solve the problem of establishing, implementing, and maturing an enterprise cyber risk management (ECRM) program and attendant cybersecurity strategies. Few, if any, are pausing, not to mention spending the majority of time determining the proper question to ask. Too many organizations (in healthcare, most) are continuing their tactical, technical, spot-welding approaches.

We’re long overdue to switch to a strategic, business-oriented, and architectural approach to ECRM. In this article, I’ll explore one aspect of the problem and suggest solutions. My book, Enterprise Cyber Risk Management as A Value Creator | Leverage Cybersecurity for Competitive Advantage, covers the problem and solutions more broadly.

So, What’s the Problem?

I’ve been asked many times, what are the root causes of the mess we find ourselves in regarding all the failed ECRM and cybersecurity efforts? Depending on what day you ask me and the most recent mega cyberattack or data breach that hits the press, while I may change the order, I always list these three root causes:

  1. Risk illiteracy
  2. Lack of C-suite/board accountability
  3. Failure to appreciate the potential strategic value of ECRM

In this post, I’ll focus on the part of risk illiteracy that tightly connects with “spending the first 55 minutes determining the proper question to ask.” Earlier this year, I wrote a four-part series on risk illiteracy, starting with Cyber Risk Illiteracy – 1 – Stomp Out Risk Illiteracy. I’ll not repeat that series here.

Here, I am focused on the essential and foundational importance of conducting comprehensive, enterprisewide risk assessments, also known as risk analyses.

Why Risk Assessments?

Call me old fashioned or attribute it to my training in mathematics— the first step in proving a theorem or solving a problem is constructing the problem statement. Doesn’t everyone start solving problems that way? Apparently not when it comes to ECRM and cybersecurity! Too many organizations practice fire-ready-aim.

Your cybersecurity strategy, set of tactics and operational activities must be aimed at reducing your risks (and leveraging your cyber opportunities!) I’ll stick with cyber risks in this article and save the discussion of leveraging cyber opportunities for a subsequent article.

Without a comprehensive, enterprisewide risk assessment, how will you build a strategy, tactics, and operational capabilities to address your unique risks? That’s correct—your unique risks. Some organizations, like Lemmings, adopt the old controls checklist approach and usually spend too much on solutions they don’t need and too little on solutions they need badly.

Risk Assessments in Healthcare, As an Example

For organizations in the healthcare ecosystem, the requirement for risk assessments is codified in the HIPAA Security Rule as the first implementation specification in the first standard, in the first safeguards area of the rule at 45 CFR §164.308(a)(1)(ii)(A).

Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

In addition to the longstanding requirement to understand your unique risks before trying to solve them, risk analysis is a critical component of HIPAA compliance. Unfortunately, 90% of organizations investigated by the Office for Civil Rights (OCR) following a reported data breach or cyberattack on electronic protected health information (ePHI) fail to present an OCR-Quality® Risk Analysis to OCR.

This dismal performance continues to occur in the face of OCR issuing Guidance on Risk Analysis Requirements under the HIPAA Security Rule in July 2010, not to mention that the HIPAA Security Rule was published in the Federal Register in February 2003.

Notwithstanding OCR’s educational and enforcement efforts, most healthcare organizations and the so-called business associates who serve healthcare covered entities still fail to conduct comprehensive, enterprisewide risk analyses and implement effective risk management strategies.

Risk Assessment Requirements in Other Industries

Based on my discussions with C-suite executives, board members, and CISOs outside of healthcare, I don’t believe the “90% club” is unique to healthcare. Few organizations understand risk in general and cyber risk in particular. See the series I mentioned, Cyber Risk Illiteracy—1—Stomp Out Risk Illiteracy, for more on that subject.

Risk oversight is one of the top three responsibilities of a board of directors, along with strategy and leadership. Public company boards have had to disclose their role in overall risk oversight since February 28, 2010, according to an SEC final rule, Proxy Disclosure Requirements. As another specific example of risk-related disclosure, audit committees of New York Stock Exchange-listed companies must disclose policies concerning overall risk assessment and risk management.

Depending on your industry, you likely have additional guidance, specific requirements, or standards you must follow related to cyber risk assessments. For example, the New York Department of Financial Services (NYDFS) requires organizations that operate under its Banking Law, the Insurance Law, or the Financial Services Law to complete a risk assessment following specific language in Section 500.9 Risk Assessment of NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES 23 NYCRR 500, CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES.  

To add to the list, GDPR, GLBA, FERPA, and PCI DSS include language and requirements about conducting a comprehensive risk assessment as part of an organization’s data privacy and security program.

Conclusion – Actions to Take Now

Take Einstein’s advice! Before you dive into a tactical-technical-spot-welding arms controls race, understand your unique risks.

Very specifically, if you still need to complete a comprehensive, enterprisewide risk assessment, do that as soon as practical. Seek assistance if you need it. If you believe or have been told that your organization has conducted one, have it assessed immediately. Don’t become the next member of the “90% club.”

Check out the processes described in NIST SP 800-39 Managing Information Security Risk and NIST SP 800-30 Guide for Conducting Risk Assessments, which cover risk assessment and management in detail.

Strategically, advocate for a risk-based approach to cybersecurity. A recent article by the World Economic Forum advises,

“Adopting a risk-based cybersecurity model also confers benefits beyond simply preventing cyber-attacks. It builds resilience and agility, and this method of continuously assessing and adapting makes for more streamlined and competitive organizations more generally.”

In addition to the educational content and actions recommended in this article, to learn more, you may wish to pick up a copy of Enterprise Cyber Risk Management as A Value Creator | Leverage Cybersecurity for Competitive Advantage or Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM)

Chris P.

Cyber Planner, US Cyber Command

6mo

Bob Chaput, Thank you for your continued lessons in risk assessments. Out of curiosity, do any particular risk assessment frameworks **most** resonate with you? Why?

Like
Reply

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics