During a client engagement, I listened to two experienced information security risk professionals lament about the results of a recent vendor risk assessment survey. The results indicated several “High Risk” vendors that needed attention. However, they couldn’t distinguish which “High Risk” vendors posed the most pressing or biggest threats to the company. Instead, they bemoaned the toil of sifting through the results, laughed (which is a better alternative to crying) about balancing the unending amount of work and limited time, then proceeded to have the same discussion in relation to a business manager who didn’t understand why the new application he requested was considered a “High Risk” … Just listening, I was vicariously frustrated about the limited view that compliance checklists provide of risk. A compliance checklist approach to assessment of vendor risk or any risk can give the impression that anything labeled “High Risk” poses comparable risk for a company. This is problematic because checklists are just lists of practices, not tools for assessing risk based on a model of the factors that actually create risk. At RiskLens, we use the FAIR model that factors in the frequency and magnitude of loss to express risk in dollar terms. A one-dimensional (i.e. yes/no compliance checklist) approach to risk assessment can produce:
- Indistinguishable “High Risks” (or “Medium” and “Low” categories for that matter)
- A good deal of uncertainty
- The Boy-Who-Cried-Wolf effect (because how many times can you cry some vendor, new application, etc. is “High Risk” before business managers become inured to such labels?)
- “How often” does xyz bad thing happen?
- “What controls are in place to prevent them from happening?”
- “How much” would it cost? Often a function of “How many” records—e.g. PCI/PII/PHI etc.—will be affected?