In the previous article how to ‘Build a Cybersecurity Risk Assessment Funnel,’ we addressed the challenges facing IT directors and security leaders trying to reduce risk by applying a repeatable methodology to identify and report on the risk of company assets, systems, applications, and data.
We presented a four-step process to address this challenge and get your arms around it. Those steps were:
- Write a Data Classification Policy
- Differentiate ‘Internal’ and ‘external’ systems
- Make business owners aware
- Build your risk assessment process
Now we’re going to pivot and drill down on the first part, and that is people.
I like to introduce this process as a funnel. The funnel is a common image used to represent a majority entering the top, and as it funnels down, only a scoped set makes it out the bottom. It’s been used for business continuity plans. But I’m going to use the funnel idea to represent our risk assessment process.
Side note: I get excited when I see the visual of a funnel! It makes me feel like if I put the time and work in, I can create some kind of virtual machine with gears. This machine reduces work and creates a beautiful product of efficient risk results.
People
People are the most important part of our cybersecurity risk assessment process. They are also the most often overlooked component. It’s easy for us to come up with technology (being nerds) thinking everything can be solved with technology. The truth is as we mature the cybersecurity program, it becomes more dependent on people.
Without considering this critical piece of our program we will be left with an amazing process, but very low ingestion and risk rankings because very few people are using it.
The ‘people’ label is at the top because we want people to be where our risk assessments start.
The more groups of people in this layer of the funnel, the better chances of success. Ideally, this layer could be represented by several ‘people’ layers itself… but before I get carried away, let’s start with the primary people group – technology.
Technology Business Analyst (BA)
What I’m seeing today in modern organizations is technology electing to have business analysts sit between the business group and the technology group. These people are technical, and report up to technology leaders, but they can also speak the business and understand the business units’ purpose, goals, and vision. The business analysts act as a communication proxy for understanding and translating the business drivers into technology initiatives.
These business analysts should be your primary target to build a relationship with and ensure you educate them that you have a risk assessment process. Meet with them each, one on one, and give a short introduction to the process, equip them a document (ideally a visual), and then provide the opportunity for them to ask questions.
At this point, you don’t need to explain the policy (we’ll get to the Data Classification Policy later). We just want to introduce them to the; what, why, who, and when. Plant the seed and get their gears turning.
Back-Office Groups
The data risks that exist outside the business units are often ‘normalized’ or common. We as cybersecurity professionals can make some assumptions and ask some direct questions to drive the data risk discovery outside the business unit.
For example, the remaining business units that do not have a business analyst assigned to support them are common; HR, Legal, Public Relations, and Facilities. We can assume HR is going to have PII, and access to healthcare information or outsourced systems. We know Public Relations will have access to the company blog, and credentials the social media, and Legal will have contracts and partnership information.
Your goal is to build a solid relationship with these back-office groups. Pick one person inside each group. Ensure they know who you are, and how to find you. Explain the importance and purpose of performing risk assessments. We’ll come back later and visit them again with the Data Classification Policy, but for now, this is good.
Business Unit Leaders
I like to have a multi-layered approach to understanding the risks that exist within a business. To do this I start with the technology business analyst. After that, I start to build relationships with the business unit leaders themselves. This relationship provides an unfiltered communication channel on what the business is doing today and what they are planning to do tomorrow. I can use the conversations I had with the BA to start the initial conversation here. Everything I hear should sync up with what I have already heard.
This relationship provides accountability and additional context. If you hear something new or surprising, bring it back to the BA and discuss it. We’re not trying to beat up the BA, but we are massaging our relationship that helps is be more transparent.
Procurement
Follow the money. If something gets purchased, who in the company writes out the checks? Identify that person and role and build a relationship with them.
I’ve found the people in these roles are cube zombies (sorry if that hurts anyone’s feelings). What I mean is that they have a lot of work that doesn’t require other people. It’s just them and the computer. Which means you can just swing by randomly and say hi to them.
Ask if there have been any software application purchases or vendor agreements you should know about. After some time, ask if there is any log of vendors that are receiving payment. Remember this role in procurement is sensitive and tends to be private, so when asking be careful. Ideally, there is a read-only record that just lists the outside vendors receiving payments that you can keep tabs on and review.
Legal
To improve the maturity of your risk assessment process you can fine-tune your filter and ensure nothing gets through unnoticed by building a relationship with legal.
Who is the person, or what is the role, in the legal department that is responsible for NDA’s, and Vendor Contracts, and Service Level Agreements? Identify this person and meet with them. Better yet, find out their favorite treat, and bring it to them during the recurring meeting you setup to touch base.
Ask what they look for in contracts, start to understand their language. I’ve found these people often desire good communication with cybersecurity. There are questions they often have that they’ll lean on you for. This creates a strong level of relationship you’re looking for.
Summary
People are key to a successful risk assessment process. Without them, you’ll be left with a great process, but no inputs. You’ll miss the critical application and vendor risks. Ultimately the business will have significate risk and none of it will be visible.
Failing to create, maintain, and educate relationships will result in a failed cybersecurity program.
In the next article, we’ll examine the second phase of the cybersecurity risk assessment funnel, the policy.
Trackbacks/Pingbacks