We work on all these security controls, and then sit back and marvel at how well we have secured our system.
Should we think of our secure system as secure only at a single point in time, one that needs us to constantly attend to it and be prepared to make changes to improve our security posture?
The real question has nothing to do with security. You should be asking yourself if your business functions are working effectively while these security controls are engaged. Risk should be about the organization, not the system. Infrastructure, security and otherwise, exists to make the business efficient.
These are the basics of a risk assessment and what it should uncover:
- The assessment is designed around risk or adversity to risk.
- It asks the question, “If something happens, what is the impact to the business?“
- Inherent in a risk assessment is to determine said risk, which is the likelihood of something happening and the impact if it does.
- Fault tolerance is the ability to keep running when there is a breakdown in the system or service.
- Redundancy allows operations to continue when the primary service is unavailable.
How do you determine risk? First, start with understanding what the system is supposed to do. How does the business input information, work with information, and dispense information?
Once the operations are defined, we can learn where the critical path lies to keep the business running. From there, we can learn threat sources and threat events that are possible (the likelihood) of something happening and the impact it would cause, not to the system, but to the way the business operates. For example, if the business relies on a specific database, then the database is part of the critical path. Therefore, we should put our efforts toward protecting that database, rather than the informational website that tells clients about the services offered.
Security makes the business more robust to thwart attacks. If you don’t know what your risks are to the business, then you may not know how to spend your money effectively. We don’t forget about the other systems; we simply prioritize. This is why risk assessments are part of the security practices.
Since threats are ever-changing, our systems should adapt. The risk assessment shows you how. If you would like to discuss how a risk assessment can help your organization, reach out to me to discuss further.