Theoretically speaking, when it comes to the subject of cybersecurity, there are two types of risk assessment – proactive risk assessment and reactive risk management. There are organizations who may find themselves incessantly required to act in real time as threat actors seek to compromise their networks to achieve their objectives; and there are those organizations who perform regular risk assessment exercises in order to lay down the appropriate remediations, ahead of the threat. The costs and consequences of these alternative risk management styles are across-the-board and will hold business impact at all levels of organization. That said, even the most prepared organization finds themselves at the back end of the cyber threat.
Ultimately, when it comes to risk assessment and management, it is important to consider and understand both approaches to cybersecurity.
Generally, a security risk assessment identifies, evaluates, and provides the appropriate remediatory actions & security controls that must be established to achieve an acceptable level of security risk. In addition, a risk assessment focuses on preventing future security deficiencies and vulnerabilities.
Performing a risk assessment will allow an organization to examine critical assets from an attacker’s perspective. Generated reports, such as penetration test reports, support management across all levels in making the appropriate use of company budgets, action plans, resource allocations, software selection, and security control implementation decisions. Thus, conducting a risk assessment is a vital piece in any organization’s risk management procedures.
The Process of Risk Assessment
Organizational considerations such as company size, staff, and assets affect the complexity of risk assessment models. Understandably, some organizations only have the capacity to perform generalized assessments, due to time and budget, however, these assessments do not typically provide the details pertaining to assets, related threats, identified risks, business impacts, and required remediations.
Since general, in-house, IT assessment results typically don’t provide enough of a correlation between each of the above-listed items, a more in-depth assessment, such as a penetration test, is necessary. When it comes to risk assessment, a penetration test, or pen-test is an approved simulation cyberattack on an organizations’ computer system, executed to appraise the overall security integrity of the system. The test is performed to identify both vulnerabilities including the potential for unauthorized parties to gain access to systems and company data.
In addition, a penetration test identifies key strengths in the existing security posture enabling a full risk assessment to be completed which aids an organization form a roadmap focusing budget and resources on strengthening weaknesses with the greatest potential business impact, first – an exercise Walmart Canada likely wishes they’d committed to. The bottom line is, when it comes to proactive risk assessment, penetration testing sits a cut above in terms of value due to the realistic nature of each performed activity.
Unfortunately, even with the most thorough of testing and remediation efforts, there always remains a factor of risk that must be assumed. That is where reactive risk management procedures such as a compromise assessment come in.
Many organizations, especially those in thin fringe industries, with insufficient security budgets have yet to define an adequately viable investment level for security. These organizations typically do what is recommended to meet the most basic compliance regulations and simply accept, assume or shift the remaining risk to a cyber insurance policy – which may not serve the insured organization as expected or required. For such organizations, a regular assessment should be incorporated into their respective risk mitigation strategies to ensure their environment is not compromised by existing threats that are more complex than the organization has the ability to detect at their level of security investment.
Unfortunately, there is the irony that many organizations have difficulty justifying an increase in their security budget when a breach has yet to occur. The resulting security paradox places an organizations security team in a critical position. In these situations, it is often beneficial to perform a compromise assessment to uncover any past compromises that may have gone unnoticed, thus providing the required evidence to justify additional security investments. A win-win.
The main objective of a compromise assessment is to swiftly identify any nefarious or otherwise suspicious activity on the victim organizations’ systems. Once the compromise assessment is finished, the selected vendor can provide appropriate recommendations regarding the proper course of action, based on collected evidence, allowing the organization to investigate the root cause or threat actors responsible for the attack(s). Of equal importance, as mentioned, any unfavourable results from a compromise assessment dually serve the additional function of providing complete justification for increased security budgets.