Speaker 1: Hi, welcome back to my channel. The topic for today's video came from one of my viewers. They asked about looking at IT risk assessments. We talk a lot about product here, but how do you know what product is right for your organization? So, I don't know that we're going to answer the viewer's question in this because I really want to talk about a new way of doing an IT risk assessment, or a new framework in which your IT risk assessment can be accomplished. Hi, I'm Steve Murphy. I'm a vice president at ARG, and while I work for ARG, this video is my own and does not necessarily reflect the views and opinions of my employer. This channel is all about giving IT leaders tools and information so they can make better business decisions, and an IT risk assessment is the fundamental process that we have to go through, whether formally or informally, to decide to make a move into another technology. So let's take a look at what IT risk assessments mean and how they might fit into your organization. First of all, we're going to look at an overview of an IT risk assessment, just to find the process a little bit. We're going to talk about what's covered, we're going to talk about what a new risk assessment framework might look like, and then we'll go through the steps of a risk assessment. Let's start with a quick overview of IT risk assessments. First of all, we have to acknowledge that there's no way we can prevent all cyber risks from affecting our organization. If we were to lock down our environment so tightly that it would be impervious to any cyber risk, well, we probably wouldn't get any work done. So an IT risk assessment helps us focus on the areas where we need to add additional protective measures in order to ensure that the worst doesn't happen to our organization. So the IT risk assessment answers the following questions. What assets do I have and how much damage would we suffer if those assets were compromised? The next question is, how would those compromise of the assets affect our business? And then lastly, what are the events that could compromise the assets and how likely are those events to happen? That's what the IT risk assessment attempts to answer. Now from a coverage perspective, we look at the assets of the organization. What systems do we have? What data are we storing? And what intellectual property are we trying to protect? From a resources perspective, we have to assess people first and then of course our relationships. These are primarily partner relationships or they may be customer relationships and how they affect our security posture. And then what are the processes that we have internally that both make us more secure and sometimes compromise security? Lastly, what are the activities that we're trying to protect? This is essentially the operations of the organization. How do we keep operations functional while we're also trying to keep them safe? I'm going to suggest that we look at risk assessments differently than we might have in the past. Typically, a risk assessment would be something that an organization would do periodically. I've heard every one to two years you want to do a risk assessment. I think that a two-year interval and probably even a one-year interval is way too long in today's dynamic environment, but something that you would do periodically to evaluate your overall risk posture. I don't agree with that. I think the risk assessment within the IT organization needs to be included in a SWOT analysis. SWOT stands for Strengths, Weaknesses, Opportunities, and Threats, and it's a strategic overview of IT operations. It's what your senior leadership is generally doing around the business on a regular basis. I suggest that IT organizations have their own SWOT analysis around the IT operations. Now the IT risk assessment is generally going to be included in the threat category of your SWOT analysis. This is the area where you're going to document where the threats are originating and what damage they could do. We're going to have another part of the IT risk assessment included in the weaknesses area. This lays out the known weaknesses and vulnerabilities of the operations, of the IT operations. And then in the opportunity section, we're going to have elements for improvement and how we can address those threats and weaknesses. And this is also where you might identify the budget required to make those adjustments to so you can address those threats and weaknesses. Now this last section is, I think, the most important reason why you need to have a SWOT analysis as part of your overall IT strategy. The risk assessment being part of that SWOT analysis. Because I think the big Achilles heel of a risk analysis is that there are an implicit number of assumptions being made about areas in which you're confident. A risk assessment tends to be where are the negative elements and it doesn't do a good job of documenting the positive elements. A SWOT, on the other hand, has a strength section where you can document all the positive elements. And those positive elements need to be validated. Because when we are evaluating risk, we tend to be overconfident in what we think is safe. And by documenting those areas of confidence, we can then be challenged by others around us as to what we might be overconfident in. And at least if something bad does happen within those areas in which we're confident, we at least have a source document to go back to that substantiates the level of confidence that we put in those measures. So I think a SWOT analysis is really a much better framework for a risk assessment than a standalone process. Let's get into the process of actually going through a risk assessment. I'm going to reorder the process that I see in a lot of the popular literature out there. And I'll give you a good example. So this step one, data gathering, is usually the second step in most of the literature that you'll see out on the internet, for example, in terms of how to conduct a risk assessment. Step one is usually a risk profiling process where you identify the risks that you believe you're subject to. I actually think that's kind of a waste of time. Because until you've done your data gathering, until you know what assets you have and what the status of those assets are, you really can't identify risks. The only thing that you can really do is guess. And so rather than guessing, I'd rather gather data first, and then we can work through a an informed process in terms of determining where we have risks. So what does data gathering look like? Well, of course, we're going to take an asset inventory. We're going to run a vulnerability assessment tool that may be an automated tool. You might have a third party come in and do a vulnerability assessment for you. It may be something that comes out of your SIEM, and your SIEM will have other analytics that will be available to you to help you identify the data and the sources of the threats that are coming into the organization or being presented to the organization. You might have a third party, or you might do your own penetration test to identify some pockets of exposure that you have, both internally and externally. And then you're going to want to look at your cloud service security tools as well. And these are typically newer tools to the organization. They may not be as familiar with some of the legacy tools. But as our cloud services begin to grow, we want to start incorporating those tools into our risk assessment. Now we want to evaluate our risk profile. So in that, we identify the threat sources. Email is a typical threat source, for example. And then identify the threat events. So someone might download a malicious attachment through their email account. We then identify the vulnerabilities and predisposing conditions. Maybe that endpoint hasn't been updated with the latest operating system patch. That's a predisposing condition that might make that laptop more susceptible or that endpoint more susceptible to accepting that malware. And we want to evaluate the likelihood of this event happening and determine the impact. And then lastly, we get to the risk. So the impact times the likelihood is generally the risk. And I like to calculate risk in two ways. The first is hard dollar risk. So if someone downloads an attachment from an email and it infects their endpoint, that endpoint malware propagates through the system and ultimately corrupts our inventory system. So we can't ship orders for a week. That hard dollar impact are the sales that were lost during that down period. The soft dollar impact is the customer goodwill. The discounts or returns that we might get because our goods were not received in a timely basis and customer sourced it from another vendor, possibly. And the reduction in future orders from those customers. Those are all soft dollar costs that are really hard to quantify, but super important for us to understand the overall risk to the business. Now, by calculating the hard dollars and the soft dollars separately, sometimes you can justify a security upgrade project simply from the hard dollar costs. And those are usually really easy conversations to have with your finance organization. If you need to go to a soft dollar type of conversation because you need more risk associated with the vulnerability to justify the solution, those tend to be more challenging conversations with finance and those responsible for allocating budget. And you might need to get your business line owners involved to help support the business case. And that gets us into the last step of a risk assessment. Again, I said this was going to be pretty high level. The last step, though, is communication. And my recommendation is communicate with those business line owners first before we take something to the executive team because the business line owners will understand the context of the threats that we're talking about and will help you establish more of that context within your own report. And they can also be strong advocates for you within that executive team to help you mitigate some of the risks that you've identified. So then you want to take it to the executive team. Hopefully at some point you get budget allocated. And lastly, you're going to want to give regular updates to the organization as to how you are going about mitigating these risks. Those are the key four communication steps that I would see coming out of a SWOT or strengths, weaknesses, opportunities and threats that is supported in a IT risk assessment type of process. As always, feel free to reach out for a further conversation. I'm always happy to hear from my viewers. My contact information is in the description of this video. And again, I'm happy to hear from you at any time. If you got some value out of this video, I'd appreciate a thumbs up, a like. And thank you very much for doing that. And if you want to return to this channel at your convenience in the future, the best way of doing that is by hitting that subscribe button. That will put my videos in your feed and you'll be able to come back here at your convenience. And with that, I thank you for your attention and I hope you have a great day.