BALLAST understands that a majority of companies who perform risk assessments, do so because they have to, not because they want to. Often times, a risk assessment is a regulatory requirement or industry compliance solution.

For instance, organizations within the healthcare industry must perform periodic risk assessments to exhibit HIPAA compliance, just as member financial institutions must perform information security risk assessments on a regular basis per the FFIEC.

In reality, any company who houses secure data should perform ongoing risk assessments to test the health of their IT security. From sensitive client information to customer cardholder data, in today’s world, all of this information is vulnerable to being stolen.

So why are more companies not performing risk assessments?

  1. Lack of time. When an organization has little to no employees dedicated to managing risks, the lack of time to conduct internal audits and policy revisions can be problematic. Successful risk assessments require an ongoing time investment as once the assessment is performed, that’s just the beginning. The most important part of the risk assessment is the act of remediating all uncovered issues.
  2. Lack of resources. Many organizations are not equipped with the internal talent, technology, or budget to be able to properly perform risk assessments. Enlisting the help of a consultant or risk assessment tool can be the best solution for overcoming this obstacle.
  3. Lack of focus. Proper risk assessments will consider all aspects of the organization from multiple locations to all data collection points. Without a thorough and comprehensive risk assessment, your team could miss serious potential threats to the larger organization. A focused and dedicated team is a must.
  4. Lack of follow through. If your risk assessment results are sitting on a shelf, the effort can be worthless. It’s vital that risk assessment results be used as part of the organization’s decision-making process, ultimately developing a proper mitigation plan. Remediation should be assigned to individual users and resolutions should be tracked.
  5. Lack of true risk assessment methodology. If a good risk assessment methodology is not in place, subjectivity can interfere with results, ultimately weakening the credibility of the assessment. Enlisting the services of a consultant or external team will offer a perspective that will not unfairly control assessment results.

Risk assessments are extremely valuable, and when properly utilized, they can protect your entire organization from critical security threats. Contact us today to learn more about how BALLAST can improve your risk assessment processes.

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.