Don’t Stick Your Head in the Sand

Cybersecurity threats are complex. Companies must figure out how to manage digital risks that are unique and ever-changing. The nature of these risks varies significantly, depending on industry, organizational culture, business practices, and IT infrastructure complexity. It is incumbent, then, on each and every organization to gain as much insight into its digital risk profile as possible. Companies that have a deep understanding of their information security risks are unquestionably in a stronger position to effectively manage risks and mitigate problems.

One important step that corporate leaders can take is to perform an independent third party security risk assessment every year. Risk assessments typically evaluate the security threats facing an organization, the vulnerabilities of an environment, the likelihood that a threat will be realized, and the impact that a realized threat could trigger.

Risk assessments provide organizations with the actionable intel they need to manage security risks. Security risk assessments―when done effectively―take a holistic approach that closely examines governance, operations, and technology risk factors. Assessments that focus exclusively on the technical controls―“checklist” audits that simply confirm whether a particular control exists―are less helpful to risk managers because they ignore key organizational issues that likely also contribute to security risks.

For example, consider an organization with a stringent password policy. The policy requires 16 characters, several special characters, and password changes every 60 days. On paper, this appears to be a best-in-class security control. In practice, though, that policy may not even be enforced throughout the enterprise. Perhaps senior management worries that frequent password changes may frustrate the sales team, which is frequently on the road and up against tight deadlines. As a result, management grants the sales team a “special exemption.” In this hypothetical, the organization may “pass” a superficial audit focusing simply on whether the control (i.e., the password policy) exists. But the risk assessors would entirely miss the crucial opportunity to observe how the organizational culture itself―in this case, a culture that picks convenience over security―creates a security vulnerability.

Cyber regulators also understand the importance of security risk assessments. Consider, for instance, the Security and Exchange Commission’s Office of Compliance Inspections and Examinations ("OCIE"). What’s striking about the OCIE cybersecurity module is the emphasis on nontechnical subject matters such as risk assessments. Checklist audits come up far short here.

Security risk assessments provide a way for a business to assess its cybersecurity strengths and weaknesses, and measure cybersecurity progress year over year. A business that is able to show that it actively manages cybersecurity risks―through its risk assessments―is in a much more defensible position.

To learn more about Tensyl’s risk assessment approach, click here.