What are your top 10 technology risks? More importantly, how do you know that? If it’s a list of the things that keep you up at night, you may be missing key risks.
One of the services we provide at RiskLens is helping organizations identify their top 10 risks out of the sea of issues in front of them. In almost all cases, the organizations we work with brings their top 10 risks to the table. By the time we leave, their top 10 looks very different.
Your top 10 may include the wrong things
For many organizations, the current process for establishing a list of top 10 risks is some combination of:
- Taking what they experienced that they know is bad yet still exists.
- Combining it with the latest scary headlines.
This amounts to putting the cart before the horse. The first part is usually OK. Those things often belong in a list of top 10. The failure is allowing industry fear mongering to guide the other items in the list. Companies focusing too much on scary issues often miss out on significant, but not obvious, risks.
Sometimes what’s scary is only so because we don’t know much about it. Other times it's nothing more than 'my gut tells me it's true'. That can leave us blind to issues of consequence that we’re dealing with but haven’t realized represent more risk than the scary things. This can be overcome by measuring the risk landscape before we determine what belongs in the top 10.
An example of fear driving your top 10
One of the most commonly misplaced risks is related to the privileged insider threat. There is tremendous hype around privileged insiders as a threat. But, does that make it a top 10 risk? The 2015 Verizon DBIR begs to differ and the 2016 DBIR report shows the continued trend. Overwhelmingly, the actors in breaches are external. Why do we keep listing privileged insiders as a top 10 risk? Every time I have this conversation the resulting answer boils down to 'that's what I feel'. When I probe to understand more, there are elements of fear and uncertainty driving the feelings. Is that the best approach to identifying your top 10?
2015 DBIR Report:
2016 DBIR Report:
Let your analyses dictate your top 10
A better way of fleshing out your top 10 risks is to conduct analyses of known issues and suspected issues affecting people, processes, and technologies. If this sounds like an enterprise assessment that’s because it is. And out of it organizations can allow the top 10 risks to bubble to the top. Only then will we truly understand where threats such as privileged insiders stand.
Allowing our analyses to dictate our top 10 should not stop us from knowing whats going on in the world. We don’t turn off the news spigot and look only inward. Include those scary, newsworthy issues in your enterprise assessment. But, don’t fall prey to the common mistake of assuming they belong in the top 10.
What you need to be successful identifying your top 10
What I’m advocating is a sea change in how cybersecurity and operational leadership determine the top issues that report to the board. To make this successful you need a mechanism to rank results of an enterprise analysis. That’s where Factor Analysis of Information Risk (FAIR) comes in to play. FAIR is a method for analyzing and prioritizing risks. FAIR results answer the question of what belongs in our top 10 list.