How to Ensure Your Cybersecurity Risk Assessment Results are Actionable
When I think about how to get the maximum value from a cybersecurity risk assessment, I am frequently reminded of the old saying, “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.” The key to optimizing your results is planning. My November blog offered ideas and considerations on planning the scope of your cybersecurity risk assessment. To recap, it’s important to be intentional when planning your scope, and ensure your scope supports efficiency and helps maximize the value of your assessment by focusing on the overall goal of risk reduction. However, it’s crucial to keep in mind that the risk reduction value of the assessment comes from what you do with the results.
In this post, I’ll share how to plan your assessment to ensure the output of your cybersecurity risk assessment provides actionable results that support your organization’s risk reduction goals.
What is a Cybersecurity Risk Assessment?
In general, a cybersecurity risk assessment involves identifying what you need to protect (i.e., sensitive data, critical systems) and the vulnerabilities and potential threats associated with those assets. Vulnerabilities and threats are then assessed for likelihood and potential impact of an exploit, taking into account existing security controls (technical or non-technical) that may mitigate or lower the overall likelihood or impact of an exploit. Assessing your cybersecurity risks is an important step in the NIST Cybersecurity Framework (NIST CSF). (For more information on the NIST CSF, read our Beginner’s Guide to NIST CSF or Planning your 2022 NIST CSF Maturity Gains.)
The resulting risk rating should help your organization prioritize any needed risk reduction actions, which are typically either addressing identified vulnerabilities, implementing new security controls, or strengthening existing controls.
Getting the Most From Your Assessment Results
The act of performing the assessment does not reduce your risk, so it makes sense to plan the output to support a quick transition to risk reduction activities. To get the maximum value from your cybersecurity risk assessment, incorporate the following strategies to ensure your results are actionable and prioritized.
- Identify your goals: What does your organization want to gain from this exercise? This question is worth asking your organizational stakeholders during your cybersecurity risk assessment planning process.
- Tip – Remember that sometimes less is more. If your organization is looking to identify 5 impactful security changes or initiatives to tackle in the coming year, then producing an assessment with 50-100 recommendations may not be a good use of resources. You may be better off quickly homing in on the top 5 risks and remediations and then shifting your resources to risk reduction activities.
- How can you home in on the top risks quickly? There are a few ways.
- Identify high-value assets and data.
- Focus on the most likely threat scenarios.
- Consider what scenarios would have the greatest negative impact to your organization, whether the impact is financial loss, business disruption, reputation damage, legal/regulatory impacts, or a combination of these.
- Consider the structure: Cybersecurity risk assessments can be structured in several ways, such as asset-based, threat-based, or vulnerability-based. The structures typically include the same elements – assets, threats, vulnerabilities, likelihood, impact – but the elements get matched up and presented in different ways. Most cybersecurity professionals understand that there are pros and cons to the different approaches, which are worth considering up front in order to determine the best structure to meet your goals.
- For example, if you are looking to prioritize overall risk treatment activities with an eye toward ROI, a vulnerability-based approach can keep you focused on identified gaps and weaknesses to determine the risk level they present for your environment.
- If your goal is reducing risk to specific high-value systems or data, an asset-based approach can help identify specific threat scenarios and ways to best guard against them.
- Reduce repetition: Many risk assessments produce a lot of repetition. This adds time and work, but doesn’t add value. To reduce repetition, I recommend addressing enterprise-level risks once, rather than repeating them for each asset in the cybersecurity risk assessment scope.
- Examples of enterprise-level risks include gaps in incident response preparedness, any security awareness training weaknesses, and lack of cybersecurity insurance. Each of these gaps presents risk across the organization and across assets and data types. They are all important, so cover them once for efficiency, but don’t repeat the finding or recommendation for each asset or threat scenario.
- “Roll up” your risks wisely: Concise and efficient output is important, but be careful. It can be useful to “roll up” vulnerabilities to a high level to present the results. But then the finding has to be “unrolled” to make it actionable and assigned to the right person for follow-up, which can mean rework.
- For example, your assessment identifies various authentication weaknesses across various applications, which may be managed by different POCs or departments. In the big picture of organizational risk, it makes sense to report that at a high-level, but you also want to capture the details to support assignment and action. Which applications had weaknesses? Were they related to password length deficiencies, lack of multi-factor authentication, or something else? Plan in advance where and how you will capture these details to support assignment and remediation at the more detailed “unrolled” level.
- Keep the focus on the risks, not unnecessary formality: A good friend of mine who had a long background as a senior bank examiner reminded me to focus on the substance and results, not a complex layout or a high level of formality. He advised taking your existing asset ledger and adding columns for data sensitivity level, primary mitigating controls, and risk levels. That’s it! Keep it simple, identify your risk, make plans to reduce risk if it is too high. Extra time spent on formality or fanciness is time that could be spent on risk reduction measures instead.
What should you do with the results? Reference my previous blog for guidance on using your risk assessment results to prioritize, plan, and track your risk treatment activities. I hope you find these tips helpful!
Would you like advice or support assessing risk in your environment? LMG Security’s experienced consultants can work through this process with you to assess risk and identify realistic, actionable ways to reduce risk and improve your organization’s overall cybersecurity posture. Please contact us, we’re ready to help!