How to sell risk assessment benefits to IT execs

Scrutinising expenses is a primary responsibility of senior executives. They won’t approve a single purchase order unless you show a benefit, hence your cost benefit analysis.

Coming from an IT Manager perspective, any comprehensive organisation security risk assessments are expensive, Penetration Tests are happily in the 2-3K for external testing only. Following from this testing an entire infrastructure & platform , your network for vulnerabilities, inefficiencies and noncompliance with security policies and standards, will be expensive and what do you get for it? A big stack of paper filled with barely comprehensible technobabble. The board room can’t easily appreciate that.

You know you need a risk assessment to show that you’re secure and to find the problems that expose your enterprise to risk. But how do you sell your CEO or the board on that expensive proposition?

1. Plug Security Holes

No network, no matter how tightly guarded, is immune to the occasional lapse in its defences or hole in its infrastructure. Hence why we have regular Patch updates for Windows and Network equipment. A risk assessment report is a “to do” list for correcting specific problems and improving overall security.

With a report in hand, you’ll have a snapshot of your organisation’s security. You will see everything, from which servers lack critical patches, applications that have exposed or documented compromises. The report helps prioritise your efforts and gives you a baseline for measuring progress.

2. Determine Security Requirements

Good security has a lot to do with change control management and adherence to established policies. A risk assessment defines what policies are needed and how well an organisation is complying with those policies.

Why have a policy and process? You don’t, for example, want your IT admin to randomly change rule sets, do you? Your policy defines who can make firewall configuration changes for example ( a firewall is like the electronic door to your organisation), how those changes are approved and implemented and what documentation is required.

Organisations have two choices when it comes to establishing policies: develop their own or adopt existing standards.

3. Justify Spending

Regardless of the perceived need for security, executives and budget planners want quantitative justification for spending. A risk assessment is a definitive statement about what needs to be done to improve or correct a security program. You can use a risk assessment report to calculate the cost of improving security and estimate the benefits — or ROI.

Suppose a risk assessment finds that 40 percent of your servers haven’t been patched for a critical Windows vulnerability. You could use the report to show executives how automated patch management would improve security and save the company money by expediting the patching process. A risk assessment can also show the cost of not improving security by documenting recovery costs from a security incident, such as a worm infection.

4. Review Purchases

A risk assessment gives you a close-up look inside your computing environment. This kind of insight is invaluable in selecting appropriate security products and services — you don’t want to spend 20K on a security measure to correct a 1K problem. Using your asset register to review what is in house, the spend, life span of items and what is actually on the network. Many times, there are in-complete IT Asset register lists.

You’ll blindly spend precious funds unless you know what you’re defending and how valuable it is. For instance, a risk assessment will help you decide that a storage encryption system for protecting routine Word documents on an file server isn’t worth the expense. But it also will show that buying database security tools to protect customer records and financial transactions is.

5. Improve Planning

By being proactive and identifying security problems before they’re exploited, you create an opportunity to significantly lower the cost of security. It’s no secret that it’s less costly to deal with security before serious problems arise than it is to deal with it during a crisis or incident recovery.

Planning for security events begins with understanding an organisation’s strengths and weaknesses. Enterprises can use a risk assessment to design and build secure network architectures, develop security policies and create security contingency plans.

Risk management is about reducing an enterprise’s threat exposure to an acceptable level. A risk assessment will provide focused information about threats, how well you’re protected against those threats and what’s missing from your security program.

6. See the Big Picture

A risk assessment is more than running a vulnerability scanner against a network segment and creating a pre-packaged report. It’s a holistic examination of the security infrastructure — technology, people and processes. A comprehensive risk assessment will do all of the bits-and-bytes things you’d expect scanning for vulnerabilities, checking system maintenance and security policy, reviewing logs, etc. Often, it also involves interviewing the people who use the network — everyone from the security manager to human resources, legal to auditing.

These interviews will reveal your organisation’s security awareness level, as well as recent incidents and problems. In other words, the process will reveal who in your organisation understands security and who still needs to be converted.

7. Increase Motivation

Independent auditors and examiners typically perform risk assessments. This can motivate an enterprise’s security team, end users and others because it verifies and validates their work to management. In effect, an objective party is saying, “Your work is important to the organisation.”

Equally, the risk assessment also communicates that staff members must be diligent and consistent with security-related matters. Without a risk assessment, end users will likely get the impression that security policies are simply window dressing meant to please the auditors — in other words, completely ignorable.

Performing a risk assessment shows workers that management is serious about information security, and that it expects workers to take security seriously, too.

8. IT Strategy

Perhaps one of the best ways to sell IT security is to link it directly to business needs. Understand what the IT Strategy of the organisation is, how IT integrates into the overall business strategy

 A risk assessment can establish that linkage by bringing together security and non- security people. Once people see the impact security has on their operations, they’re more likely to embrace it as a part of their business culture.

Through a risk assessment, employees will gain a sense of participation and ownership. Given an opportunity to make suggestions, staff members will help garner support when it comes time to make recommended changes.

9. Pre-empt surprises

There are some things you can’t defend against, no matter how many firewalls you erect. A layered security infrastructure will protect your company against 98 percent of the known threats, but there’s always the possibility of compromise through a zero-day exploit or some other vulnerability for which there’s no defence. A risk assessment allows you to quietly assess and catalogue your security gaps so you can react appropriately in the event of a compromise.

10. Document Due Diligence

A risk assessment is a verification and validation of an organisation’s adherence to best practices and compliance with government regulations.

Documentation is becoming critical as more government regulations are imposed and the potential for downstream liability lawsuits increases. Regulators want evidence that you’re compliant with relevant legislation. Insurance companies and business partners want documentation that you have good security practices. A risk assessment report could be important evidence that documents an enterprise’s due diligence in protecting its networks and information.

Not every risk assessment has every one of these benefits. But, without question, the final report will inform management about the current security posture and what needs to be done to mitigate risks. And that’s an essential part of prudent risk management.