Strategic Risk Identification

In last month’s post, I discussed evaluating software patches and vulnerabilities against strategic risk in order to effectively prioritize your patch management resources. Traditionally, frameworks utilize tools such as risk registers and the risk matrix to help organizations identify and organize risk to an organization based on likelihood and impact. These can be valuable tools but by themselves they tend to produce generalized lists of issues and symptoms that lack bias adjustment and do not promote strategic thinking.

To gain some strategic perspective, I prefer to align the discussion with organizational priorities by asking two key questions

·      What are we trying to protect?

·      What are we protecting it from?

What are we trying to protect?

To be effective we need to protect those assets that are of strategic value to the organization. Although these “assets” can by physical assets such as equipment, facilities and property, I prefer to look deeper into the organization to identify items characteristic of greater value. Many companies and organizations have committed significant resources to identify their core values or overarching goals, these are a great place to start place to start!

Other recommendations include those items that set you apart from the completion of have regulatory or legal concerns such as:

·      Intellectual Property

·      Personally Identifiable information (PII)

·      Medical Records

·      Customer information, payment records

The key to successfully identifying your strategic assets is to setup a cross-functional team and avoid silos. Many organizations rely on a limited number of technical experts who suffer a failure to challenge each other and disagree. Identify and involve the stakeholders who are accountable and set the organization goals and priorities. Don’t take a “one and done” approach, take an agile mindset, be iterative, adapt and evolve with your organization.

What are we protecting if from?

Risk sources and threat vectors are any force deliberately, or inadvertently seeking to harm your organization. These can be both internal and external to your company Quite often the most impactful vectors are from well-meaning insiders, or trusted partners. Examples include:

·      Changing regulatory and/or market Conditions

·      Competition and adversaries

·      Hackers and criminal activities

·      Well-meaning insiders and trusted partners as well as those with malicious intent

Define your attack surface

Your attack surface is where your strategic assets and threat vectors meet individual risks. Begin by asking your business and technical experts what vulnerabilities and exploits exist that threaten your strategic assets through the identified risk sources and vectors. You may well discover additional threat vectors or assets with significant value that were not well understood or easily identified. Continue to develop your understanding your organization awareness, be iterative!

Putting it all together

Every organization is subject to the same vulnerabilities and exploits, but the risk they pose is as unique as the organization they affect. Through a rich understanding of our assets and what we are trying to protect them from we can take measured and appropriate action. Try to understand the motivation and root cause behind each risk. Adding technical controls or products where policy and training are appropriate just adds more overhead and risk. Select your controls and mitigation strategies carefully, and measure their effectiveness against your strategic objectives. Be iterative, wash rinse and repeat!