It’s true. A risk assessment is not a gap assessment, nor is a gap assessment a risk assessment. Ok, so you maybe you already knew that. So, why are we pitting them against each other in this post? Mainly to highlight that those of us in the risk space are quick to point out that risk assessments are so much MORE than just gap assessments. The truth is, most of the work (or most of the time) spent on your risk assessment is determining where you might have gaps (potential vulnerabilities) in your management or security systems.

As we consider likely threats, the next step in most risk methodologies is to consider vulnerabilities that may be exploited by a threat to bring about a negative consequence. So, how do you know whether you have vulnerabilities? Well, there are several ways. You can do technical testing of infrastructure components to see if there are unpatched or unsupported systems (e.g. vulnerable systems) that could be leveraged by a threat. You can also survey system and control owners to get feedback on the existence of certain controls mandated by organizational policies and procedures, regulatory requirements, and/or frameworks of best practice. Hmmm…that last one sounds an awful lot like a gap assessment.

If we spend so much time doing them, why do risk professionals look down our noses at the lowly gap assessment? Two reasons…1) we are the keepers of all true knowledge, and 2) lots of folks equate gaps with risk, and they tend to stop there. The truth is, a gap is not a risk. A gap should not be placed on a heat map! They (gaps) may point to a vulnerability that increases risk, but gaps are not “risks” per se. Risk is much more amorphous and ethereal, it’s a value that can only be calculated. So, there you go, it is just our passive aggressive way of “educating” everyone on the semantics of risk (because everyone in your social circle clearly needs to be straight on this…right?).

Arguing about this also keeps us from having to deal with the more difficult (and oh-so-interesting) conversations around the merits of quantitative versus qualitative measurement of probability and impact. That’s another post.

So, other than proving that risk folks are a little “off,” what are the takeaways here?

  1. Language matters. When communicating with executive and board level stakeholders, it’s important to frame these concepts correctly. For example; “The assessment uncovered a critical technical vulnerabilities in 30% of production systems that if not addressed, will likely (50-60% confidence) be exploited by a motivated attacker within 12 months. This represents a high risk for our organization considering the potential impact on operations, reputation, and regulatory compliance.” You will need to be prepared to justify your reasoning around likelihood and impact (you just can’t pull those out of thin air—that’s the hard stuff with risk analysis) but I promise, you’ve got their attention and can lay out your recommendations to mitigate the risk. Conversely, if your report stops at “17 production servers were missing patches,” you are not providing these stakeholders with the context they need to make good decisions on risk.
  2. The quality of your gap assessment matters. There are lots of things that can go wrong (i.e. threats). If you fail to do a rigorous analysis of the controls you have (or should have) in place to mitigate those bad things, you may be either overestimating or underestimating how prepared the organization is to fend off those threats. That means your risk levels will be off and you may be spending precious resources in the wrong areas by not addressing root causes having the biggest impact on reducing risk to acceptable levels.
  3. Focus on vulnerabilities, not gapsWe beat the dead horse on the fact that gaps are not risks. It should also be pointed out that not all gaps present vulnerabilities either. Each gap must be evaluated on its own. For example, the control framework you choose for your gap assessment may recommend you have video surveillance capabilities at every entrance to your internal data center. While it’s true that a visible camera (even a fake one) can have some value as a deterrent, for most companies that don’t have eyes trained on those camera monitors, this control is basically just used well after a suspected incident to determine what happened. Let’s say you also have biometric access control devices on your data center doors and great procedures in place for removing credentials of terminated employees in the access control system. How much of a vulnerability is not having those cameras? How much will adding them mitigate the threat and reduce your risk levels? I can see the arguments forming in your head…” but, PCI or the auditors…” And, you may choose to implement for those reasons, but that is a risk management decision, too.

There is certainly a time and place for gap assessments—even in the context or doing a thorough risk assessment. BALLAST can help you automate the entire process, including identifying gaps against various controls frameworks. Contact us today to learn more!

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.