Cybersecurity Risk Assessment Funnel Process
Previously…
on the topic on ‘Build a Cybersecurity Risk Assessment Funnel,’ we addressed the challenges facing IT directors and security leaders. We discussed on how to reduce risk by applying a repeatable methodology to identify and report on the risk of company assets, systems, applications, and data.
We presented a four-step process to address this challenge and get your arms around it. Those steps were:
- Write a Data Classification Policy
- Differentiate ‘Internal’ and ‘external’ systems
- Make business owners aware
- Build your risk assessment process
In this continuation blog, we’re going to pivot and drill down on the first part, and that is people.
Cybersecurity Risk Assessment Funnel Process: Part 2 People Introduction
The people process can be introduced as a funnel. The funnel is a common image used to represent a majority entering the top, and as it funnels down, only a scoped set makes it out the bottom. It is usually used for business continuity plans. But we’re going to use the funnel idea to represent our risk assessment process.
Side note: I get excited when I see the visual of a funnel! It makes me feel like if I put the time and work in, I can create some kind of virtual machine with gears. This machine reduces work and creates a beautiful product of efficient risk results.
Risk Assessment Funnel: People
People are the most important part of our cybersecurity risk assessment process. They are also the most often overlooked component. It’s easy for us to come up with technology (being nerds) thinking everything can be solved with technology. The truth is as we mature the cybersecurity program, it becomes more dependent on people.
Without considering this critical piece of our program we will be left with an amazing process, but very low ingestion and risk rankings because very few people are using it.
The ‘people’ label is at the top because we want people to be where our risk assessments start.
The more groups of people in this layer of the funnel, the better chances of success. Ideally, this layer could be represented by several ‘people’ layers itself… but before we get carried away, let’s start with the primary people group – technology.
People Primary Risk Assessment Funnel Group
1. Technology Business Analyst (BA)
In today’s modern organizations, technology is electing to have business analysts sit between the business group and the technology group. These people are technical, and report up to technology leaders, but they can also speak the business and understand the business units’ purpose, goals, and vision. The business analysts act as a communication proxy for understanding and translating the business drivers into technology initiatives.
These business analysts should be your primary target to build a relationship with and ensure you educate them that you have a risk assessment process. Meet with them each, one on one, and give a short introduction to the process, equip them a document (ideally a visual), and then provide the opportunity for them to ask questions.
At this point, you don’t need to explain the policy (we’ll get to the Data Classification Policy later). We just want to introduce them to the; what, why, who, and when.
Case in point: plant the seed and get their gears turning.
2. Back-Office Groups
The data risks that exist outside the business units are often ‘normalized’ or common. We as cybersecurity professionals can make some assumptions and ask some direct questions to drive the data risk discovery outside the business unit.
For example, the remaining business units that do not have a business analyst assigned to support them are common; HR, Legal, Public Relations, and Facilities. We can assume HR is going to have PII, and access to healthcare information or outsourced systems. We know Public Relations will have access to the company blog, and credentials the social media, and Legal will have contracts and partnership information.
Your goal is to build a solid relationship with these back-office groups. Pick one person inside each group. Ensure they know who you are, and how to find you. Explain the importance and purpose of performing risk assessments.
3. Business Unit Leaders
It’s important to have a multi-layered approach to understanding the risks that exist within a business. To do this we start with the technology business analyst. After that, start to build relationships with the business unit leaders themselves. This relationship provides an unfiltered communication channel on what the business is doing today and what they are planning to do tomorrow.
Use the conversations that was had with the BA to start the initial conversation here. Everything heard at this point should sync up with what was already heard. Nothing new. This relationship provides accountability and additional context. If you hear something new or surprising, bring it back to the BA and discuss it. We’re not trying to beat up the BA, but we are massaging our relationship that helps is be more transparent.
4. Procurement
Follow the money. If something gets purchased, who in the company writes out the checks? Identify that person and role and build a relationship with them.
Ask if there have been any software application purchases or vendor agreements you should know about. After some time, ask if there is any log of vendors that are receiving payment. Remember this role in procurement is sensitive and tends to be private, so when asking be careful. Ideally, there is a read-only record that just lists the outside vendors receiving payments that you can keep tabs on and review.
5. Legal
To improve the maturity of your risk assessment process you can fine-tune your filter and ensure nothing gets through unnoticed by building a relationship with legal.
Who is the person, or what is the role, in the legal department that is responsible for NDAs, and Vendor Contracts, and Service Level Agreements? Identify this person and meet with them. Better yet, find out their favorite treat, and bring it to them during the recurring meeting you setup to touch base.
Ask what they look for in contracts, start to understand their language. These people often desire good communication with cybersecurity. There are questions they often have that they’ll lean on you for. This creates a strong level of relationship you’re looking for.
Cybersecurity Risk Assessment Funnel Summary
People are key to a successful risk assessment process. Without them, you’ll be left with a great process, but no inputs. You’ll miss the critical application and vendor risks. Ultimately the business will have significate risk and none of it will be visible.
Failing to create, maintain, and educate relationships will result in a failed cybersecurity program.
In the next article, we’ll examine the second phase of the cybersecurity risk assessment funnel, the policy.
Latest from the Blog
No spam, We hate it more than you do.
Trackbacks/Pingbacks