Comment: Poor Information Risk Assessment Is Worse than Doing Nothing at All

What's worse than doing no risk assessment at all? Executing one poorly, says Andrew Wilson
What's worse than doing no risk assessment at all? Executing one poorly, says Andrew Wilson

Hands up all those who think they have a great information risk assessment capability in place. You know, one that is embedded within the organization, produces consistent and trustworthy results, and is relied on by senior management.

Not many takers, eh? It’s a tough call.

I frequently ask CISOs this question and I often see the flicker of anxiety in their eyes before they launch into the stock response of how important information risk assessment is in their security strategy. They quickly move on to telling me about the methodology and the software tools that they have in place, the number of assessments they do and the great person that they have leading the charge. But when I scratch the surface and ask about the business value of information risk assessment, the look of concern returns.

CISOs instinctively know information risk assessment should be at the center of what they do, but few would admit that their capability is performing at the level that they really need. It’s seldom a point of pride or a flag waver for the information security function.

In many ways this is unsurprising. For most of us, information risk assessment is still something of a dark art. It is the hazy stuff of soft skills, analysis and judgment as opposed to the more comfortable and clear-cut territory of running a security project or deploying security software. We compound this uncertainty by launching into programs of risk assessment that are driven more by enthusiasm and management will than a clear sense of objective, scope and benefits.

The wreckage of these programs is there for everyone to see, as they root march their way through hundreds of applications, networks and technology components. This is tough going for everyone. The risk analysts get punch drunk, analysis becomes mechanical, inconsistency creeps in, and the results become less and less useful. Management reports are ignored or, worse still, paid lip-service to by business leaders. Soon it is unclear to anyone why we started this risk assessment at all.

The real problem with these programs is that they are difficult to back out of when you have set them in motion. The logic is impeccable and easily explained to ourselves and management, but somehow the delivery isn’t quite what we expected. The answer quite often lies not in the type of methodology or tools that are used, but in the lack of a benchmark for what constitutes a great information risk assessment in your company.

What is a good assessment? What does it look like? Is it technical in nature or is it focused more on managerial and procedural issues? Are the risks described in detail or do they only contain the main observations?

Risk analysts need not only the right training and skills, but also a clear benchmark for what constitutes a great information risk assessment if they are to try and hit the target. This sounds simple but is surprisingly difficult because it requires a clear understanding of what constitutes business value in your organization – an organization that has unique goals, drivers and culture. It’s not generic, but subtle and very, very specific to your company. Your goal is to run information risk assessments that make a genuine difference – every single time.

The mood in the business world is changing. Information security is no longer an ivory-tower activity. You’d better get your information risk assessment program right because once you’ve started, then the expectation is that you will be producing something of real value.

If your capability is outcomes-based, as you have rightly declared, then business leaders will want to see what those outcomes are and how they help the organization. Falling back upon the reasoning that information risk assessment is required to meet a compliance requirement won’t wash anymore. Business leaders are now starting to hold the feet of CISOs to the fire on the value of their information risk assessment program and what it brings to the company.

Having a poor information risk assessment capability in the war on cybercrime is a bit like turning up for a gunfight with a knife. It’s holding you back and you owe yourself more.


Andrew Wilson is an information technology professional who has specialized in information security for over fifteen years. In that time he has created and delivered practical, risk-based security solutions for blue chip clients around the world. Wilson has most recently been group information security manager for Dyson where he was responsible for establishing the strategy, policies and standards, and governance framework in a new security function.

Previously Wilson worked for PricewaterhouseCoopers (PwC) where he was engaged as head of research projects for the Information Security Forum (ISF). He is also the designer and developer of the ISF’s seminal publications on Intrusion Detection, the Security Audit of Networks methodology (used to audit the networks at the 2002 World Cup in Japan and Korea) and IRAM – the ISF’s information risk analysis methodology now in use in hundreds of blue-chip organizations around the world.

What’s hot on Infosecurity Magazine?