Bringing Clarity to Risk Assessment with a Top-Down Approach

Every organization is threatened by risk, but assessing that risk is harder than ever before. In this post, you’ll learn what makes risk assessment so difficult and how a top-down approach to measuring risk can help organizations make better decisions.

Why is measuring risk so difficult these days?

Here are four reasons.

1. Disparate, varied IT assets

Never has a company’s data been so far-flung. IT architectures and endpoints are more varied and distributed than ever. Some systems are on-premises, some are in the cloud, and the latter are probably distributed across several cloud providers and likely hundreds of SaaS applications.

When employees switched to a work-from-home (WFH) model last year, many began using BYOD for work.  Companies are increasing their use of IoT devices, ranging from weather sensors to heart monitors to video cameras.

2. IT complexity

Twenty years ago, IT risk assessments mostly consisted of counting employees’ PCs and the servers in data centers, looking at likely vulnerabilities for various models of hardware, and producing a report. Today, the IT assets to be cataloged and analyzed might be distributed over 50 offices, 500 data centers (most which belong to other companies), and 10,000 home networks.

The age of large, monolithic applications is over. For example, a mobile banking application might rely on 75 different IT components to work.  To assess the application’s risk, you need first to determine how all those components interoperate. Then you need to assess the risk associated with each of the components. Those risks need to account for everything from login activity to patch status.

When you’ve done all that work — hopefully using up-to-date data— you’ve successfully assessed the risk of a single application. Chances are that your organization has other business-critical assets for you to assess as well.

3. Sophisticated security attacks

Businesses are under attack by a growing collection of cybercriminals, many of whom have access to highly sophisticated technologies.

Twenty years ago, attackers were mostly computer programmers interested in finding ingenious ways to cause trouble. Today, attackers include nation states, criminal syndicates, and malicious “script kiddies” willing to spend fifty bucks on the Dark Web to buy a malware or a credential-stuffing script and a list of corrupted credentials.

And attackers are relentless, firing off both innovative and tried-and-true forms of attack, hoping for any lapse or breach in an organization’s security. Any lapse in IT defenses or employee behavior can lead to a data breach, a ransomware attack, or some other form of attack is costly in terms of lost sales, imposed fines, and degraded reputation.

4. Shared responsibilities

A recent trend in risk management calls for sharing risks more broadly with business units. Executive teams and boards of directors are asking business unit leaders to step up and take responsibility for the risk affecting their operations. This new shared responsibility forces business leaders to take a more active role in setting priorities for risk assessments and ensuring that the right risks are measured and duly weighted.

The importance of taking a top-down approach to measuring risks

The goal is to account for the complexity of today’s IT environments, while reducing the scope of analysis to something practical for executive decision-making. When business leaders know their most significant risks, they can set goals and make decisions without getting lost in technical details.

Start by asking, “What does our company have to protect?” Determine what’s most important to your company’s operations. Next, ask, “Where do these core assets live?” A set of data centers? In specific facilities outside of the country? What are the risks associated with each of those locations?

Third, ask, “What else do these core assets depend on?” For example, if you’re a fintech company offering a mobile app for your consumers, that app’s reliability and performance matter a great deal to your brand. What are all the interdependencies of that mobile app? Map all those interdependencies, then analyze the risk associated with each of those components.

Assessing the risks of key components likely involves cloud services and services hosted by third parties like Amazon Web Services (AWS).

If your risk assessment tools can’t access third-party services and cloud providers, can they at least monitor the endpoints connected to those services and cloud providers? That would begin to give you a sense of how your company’s interactions with those third parties may be increasing overall risk.

Measuring risk is an ongoing strategic activity

You’ll know if you have an effective practice in place for measuring risk if it provides ongoing guidance for making business decisions. To provide that guidance, your best practice for measuring risk should be:

• Continuous: When risk data is current, you can trust that you’re basing decisions on the technology and vendors you’re working with now, not a different set you were working with three months ago. To achieve continual updates to your risk analysis, you’ll need real-time data about endpoints and other IT assets and automation to collect and organize the data in a centralized place.
• Prioritized: Risk-assessment practices should make it easier to prioritize risks and risk mitigations in your organization’s strategic goals. Have risk scoring in place so that you can compare, for example, the risk of moving a data repository from on-premises to a trusted cloud provider to save money.
• Accessible: You can easily access risk assessment risks whenever necessary. You don’t have to dig through 43 Excel spreadsheets to find the analysis you’re looking for. You’ve got risk reporting that you can access quickly as part of the company’s ongoing decision-making.

Business is moving faster than ever. IT environments are vast and complex. By adopting a top-down approach to measuring risk and taking advantage of real-time data collection and automation, you can build the risk measurement practice you need for guiding the organization through growth and transformation in the years ahead.