Building Trusted Relationships Through The Risk Assessment Process

This article first appeared in the CIO Applications Magazine here

Cybersecurity risk assessments are performed when new business opportunities are identified or to visualize risk around critical assets and processes, among other reasons. As a security leader or the assessment leader, the goal should be to support the organization and provide recommendations for leadership and stakeholders to make educated risk-based decisions, so the assessing team is seen as a trusted partner that delivers value instead of a team that slows the organization down. The assessments are also a great opportunity for your team to engage in business conversations with product owners and stakeholders around risk management, not security controls. It is also a forum for you and your team to build relationships and collaborate.

Here are some suggestions for leading and facilitating risk assessments that will help you (and your team) become a trusted partner:

• Communicate the goal, timelines, deliverables, and expectations of the risk assessment early, so all stakeholders understand “the why, what, how, and when” and support the effort.
• Make sure the team is a facilitator, not a “dictator.”
• Everyone’s voice is important. Help people feel comfortable and engaged.
• This is not the time to jump the gun and start pointing out gaps, deficiencies, etc. They will surface naturally, and you should discuss them. Understand that some may be remediated, and some may not.
• If in available, leverage the security reference architecture to identify patterns and compensating controls available that can lower the Residual Risk.
• Encourage creativity and collaboration to help the team identify mitigating controls.
• When assessing and suggesting mitigation controls, make sure that the teams’ input is accounted for in terms of resource availability, budget, time, and effort.
• Encourage the team to explore different options for stakeholders and decision-makers.
• Show empathy. The delivery teams are usually busy, and the mitigation controls may be challenging or unpopular they usually carry additional unplanned work for the delivery team.
• Help the team deliver a mitigation plan\roadmap. It is not wise to expect that all controls be implemented before launching an initiative or delivering goods or services. Instead, try to deliver controls iteratively based on risk.
• Continue to keep the team informed on progress on the key actions that were defined and scheduled through completion.

Once your assessment and all artifacts are completed, issue your recommendation to the assessment participants, which are listed below. Make sure that the team agrees that these are all options.

• Accept risk with the residual risk rating as is (or not enough controls recommended)
• Mitigate risk by implementing mitigating controls.
• Not moving forward with the initiative may be a valid option too. You’d have to deliver a business justification, like with any recommendation.

Once you have an agreement and a recommendation, bring the assessing team together to deliver it to product owners and stakeholders. This is yet, another opportunity for collaboration and relationship building for your team. When delivering the recommendation, let the product owner take the lead and state the opportunity at hand and even start the conversation about risk identified in the best consumable form to your culture (i.e., slides, spreadsheet, etc.). It is important that you communicate all options explored for mitigation, including pros, cons, costs, and resources. The assessment leader should partner with the product owner in a supporting role by adding details or clarification as needed. Another way to do this is to get together and define the role of each team member in the delivery of the results. Finally, it is important that all participants have an opportunity to opine and then close out the delivery by asking the stakeholders to decide on how to treat the risk presented.

Be prepared for some negotiations, compromise, and agree on certain areas that may or may not be part of the recommendation. It is important that leaders are objective and keep an open mind while encouraging everyone involved to do the same to deliver a business solution that adds value to the organization. Nobody in that meeting should make things personal; help all the involved parties understand that sometimes difficult decisions need to be made for the best interest of the business. This is important because many security folks get frustrated when their recommendations are not followed, or risk is accepted. Still, again, your goal is to lead a conversation and decision that weighs opportunity vs. risk, not “issue vs. security”. Likewise, the product owners and stakeholders could get frustrated if the security team is not willing to negotiate. Remember, you are trying to build a partnership.

Approaching your risk assessments objectively, collaboratively, and open-mindedly will lead to more educated decision-making, ultimately translating into value delivered by the security team; better relationships across the business; trusted partnerships; and credibility for the program.