A risk assessment is a funny thing. It can be a huge driver towards securing your company’s data, or it can be the missed opportunity that could have saved your business. So how can something so important, be so misunderstood?

A majority of companies who perform and manage risk assessments do so because of industry or government compliance mandates. Most companies who are required to do risk assessments are those who collect and maintain important or sensitive customer data, but if you think about it, shouldn’t all businesses fall into that category? Both healthcare and financial industries are highly regulated, but what about all other industries? A majority of all businesses have some sort of customer data, no matter the industry or their size. Don’t these customers deserve to know their data is safe from hackers as well?

If you want to keep your data secure, you must be sure to not fall victim to a useless risk assessment. Here are 5 ways that companies can keep from turning their hard work into a worthless document:

  1. Activate Your Assessment: The risk assessment shows you that you have a risk, but don’t ignore the resolution phase. A proper risk assessment should provide detailed and targeted information that leads to an end result that will direct the organization to appropriately address high-risk threats. The true value of a risk assessment is the actions that occur after it has been performed.
  2. Set Your Goals: Often times risk assessments are performed with one goal in mind…compliance. Companies forget the second goal of being a more secure organization. In this instance, risk assessments go untouched and threats ignored, leaving the company just as vulnerable as it was before the assessment began.
  3. Understand Your Assets: Unless a company sees the risk assessment as a window into their vulnerabilities, they will not feel the full impact. The risks a small dentist practice would face are quite different than those of a larger organization. An actionable risk assessment will outline the actual threats to the company’s information security assets and how vulnerable they are to issues.
  4. Know Your Assessment: Don’t fall victim to running a control gap assessment and expecting the output of a risk assessment. A control gap assessment does a good job of highlighting the standards but does not outline the threats or guide the entity to a resolution. The result is a checklist, rather than an action plan.
  5. Involve the Right People: Risk is often a nebulous concept. If you ask a business leader about her opinion of security risk, you may get a completely different answer than if you ask the firewall administrator.  Understanding who the best sources of information are related to given assets and threat types is key to getting the most out of the risk assessment process.  It can be costly to guess wrong, so it’s important to involve all of the relevant stakeholders in the process.

 Interested in learning more about how BALLAST can help streamline your risk assessment process? Schedule a demo today!

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.