In 2021 as part of a Security Barometer quick poll the SEC surveyed security practitioners to explore the realm of risk assessments. In particular we wanted to determine whether risk assessments were being done for proactive or reactionary reasons.
In general, risk assessments should be performed as a starting point to identify and better define undesired factors that could inhibit the organization in achieving its goals. Following that logic, risk mitigation strategies should be based on, and be supported by risk assessments.
Conducting security risk assessments is also a way to connect with the business side, for example, reviewing the results with senior management to obtain concurrence on the risks, priorities, and risk mitigation strategies.
Risk is always evolving. Re-performing risk assessments allows the organization to acknowledge how the environment is changing and whether changes in risk mitigation strategies are warranted.
Risk assessments have a real and opportunistic cost. Frequently it is much easier to delay risk assessments until an adverse effect occurs or a mandate arises. However, waiting for proof that you needed risk mitigation or implementing disaster recovery will almost always be more costly to the organization than performing risk assessments proactively.
Next Steps
Many people can perform risk assessments but that is only one step in a much larger process. The Security Executive Council has the people with the knowledge and experience to utilize the results of risk assessments for communication to management and to guide mitigation efforts for maximum benefit to the organization.
Contact us to discuss your risk management plans.