Who is in charge of assessing information risk in your business? Here at Ascentor, we are really strong advocates of Information Risk Management as a tool to effectively and efficiently manage the information risks faced by businesses of all shapes and sizes. But it needs to be done properly if it’s to have the desired effect.
IRM is a discipline whose purpose is to understand an organisation’s information risks and then implement optimised, appropriate, pragmatic and cost-effective mitigating controls. There are many aspects to an IRM system but plum square in the centre is the risk assessment.
If the risk assessment does not reflect the business then there is a strong likelihood that the output will be inaccurate, which could lead to unrealistic security controls (either too much or not enough security). Getting the risk assessment “right” is a critical aspect of IRM, so what are the skills and experience needed by the person carrying out this critical task?
Seven crucial skills your risk assessor needs
Diplomacy and tact: whether the risk assessment is part of a gap analysis, a snap shot for a new system, or as part of an annual review, for the assessment to reflect reality the truth must be obtained about what really happens, as opposed to what the business thinks should happen. The assessor must be able to get to the facts without alienating, upsetting or making people worried. To make this happen, senior management must be fully behind the exercise and accept that uncovering the truth (however unpalatable it might be) is key, so that people offer their knowledge without fear of recriminations.
Excellent communicators: the ability to talk and listen to any level within the organisation, from shop floor to board room. For example, the language used when speaking to the IT department is completely different to that used when talking to HR, and your risk assessor must be able to make everyone feel at ease and confident so that they talk freely.
Qualified and Experienced: Having a recognised professional security qualification does not in itself mean your risk assessor will provide you with an effective assessment. Combine qualifications with experience and knowledge of different risk assessment methods, and then your assessor will be able to execute an effective risk assessment that reflects reality, and give practical advice on what is most appropriate for your business.
Business Focused: IRM is all about making sure the security applied to valuable information is appropriate and cost-effective. The assessor needs to keep this as a central tenet when carrying out the assessment and therefore requires a good understanding of the businesses. Security runs through all areas of the business. During the assessment, it may be evident that changing business processes may reduce risk and reduce cost whilst still achieving the business aim.
A thorough understanding of technology: Information security is more than IT security but IT has a massive part to play so the assessor must be able to understand the strengths and weaknesses of modern ICT technology so that vulnerabilities can be identified when interviewing IT staff or assessing architectures and designs.
Vendor and technology-neutral: Your assessor needs to stay focused and neutral. During the risk assessment, it’s important to concentrate on what the risks are and not to get distracted by potential solutions until the risks are fully understood.
Holistic viewpoint: The scope of the risk assessment will influence this, but security stripes across all parts of a business and it may be that the assessor identifies something that would not normally be seen. This could be a good thing or a bad one but the important point is that it is identified so that the business can make an informed choice about how to deal with it.
Do you have this shaped person in your company carrying out your risk assessments? If you do, that’s great. They will be doing a fantastic job helping your company avoid a costly information security incident. If you don’t and you would like an independent person to assess your information risks, use this checklist as a guide to help you find them, and make sure they are truly independent and vendor-neutral.
If you would like to find out more about what an information risk assessment is and how Information Risk Management (IRM) can help your business please give Dave James a call.
Telephone: 01452 881712 or 07787 506889
Email: [email protected]