Every organization conducts risk assessment and mitigation in order to identify risks and minimize their impact via risk mitigation. However, risk assessment is highly crucial since risks not identified or wrongly identified would have a ripple impact on their mitigation as well. Hence correct identification of the risks is quite important. In this post, we shall discuss a few of the challenges which enterprises commonly face in the identification of the risks and risk management.
Risk Management Issues in Cybersecurity –
1) Management Issues:
- Lack of Executive Management Support: Risk assessment needs to have required management support in order to yield results that matter. If the risk assessment is done for the sake of doing a ritual or is viewed as a barrier to efficiency and performance, it is highly unlikely that risk assessment would yield any actionable and tangible results. The lack of management support need not be just for risk identification but also in lack of prioritization of implementation of actions arising out of the risk assessment. If the actions are not prioritized or implemented it further augments the problem of effectiveness of the risk assessment.
- Lack of Standardization: As an organization grows, silos get built by default as per the organization structure. However, in order for the organization to function effectively, each of the functions needs to function synergistically. However, due to functional differentiation, there is a lack of accepted rules, terms, models, etc. for an effective risk assessment. This hampers and bogs down the initiative preventing any tangible results to be produced. A top-down management approach with a standard set of rules is crucial for risk assessment to succeed.
2) Interpretation Issues:
- Cultural and context issues: Identification and the definition of the problem is not complete without its relevant context. The context of the risk and its impact is driven by myriad aspects such as the culture, the business strategy, the industry, competitors, economy, etc. to name a few. In such cases understanding the context of the problem becomes crucial for the priority as well as the impact of the risk. Hence, the risk assessment should address these points if the identified actions need to be prioritized or implemented.
- Data Interpretation Issues: Data is generated in ever-increasing volumes and rates. By using techniques such as Big Data, Business Intelligence and Data analytics inferences can be made from the data. However, it is necessary to equally understand the data points and what do they mean in the context of the business. This specific gap between the understanding of statistical models and business understanding poses a risk in itself if not addressed.
- A disconnect between data and reality: Risk assessment data by itself cannot account for all the aspects of reality. This issue is further exacerbated when there are data integrity issues, migration from one system or process to another, the tools are used ineffectively or in the wrong context, or selected data is viewed/ analyzed with the intention of only finding favorable results thereby preventing detection of vulnerabilities and risk.
3) Process Issues:
- Struggle with the process: The risk assessment is a cross-functional activity. Hence a large number of people join in the activity and rarely arrive at a tangible or fruitful result. Even if there is a set process or standard, the process is either rushed or is ceremonial conducted just to appease the assessors. These invariably lead to missing risks.
- Technical understanding of the process: Each organization is unique in handling the process, usage of tools, and context of the business. In such cases, it is very hard to understand the view and the perspective of the participants and open up a peer level dialogue for ensuring transparency and achieve the goals. On the other hand, the more the accessors need information and help to truly understand these contexts and perspectives, the more the participants feel the process to be a hindrance for the daily work. In either case, the risks would not be identified.
Timely risk assessment and thereby effective risk mitigation need to be viewed as complementary activities to the organization which would generate values either by preventing loss or at least minimizing it. With the rate of change across the world increasing rapidly, in this VUCA world, it is becoming ever more crucial for the organizations not just to maintain a competitive advantage but also to create it. Any organization which is more agile, more adaptive to uncertainty and changes would definitely have a higher advantage over others.
Any organization which has a robust risk assessment and management system can convert risks into opportunities whereas the organizations where such practices are not followed/ system is not as robust run the risk of not being able to sustain their performances and are more susceptible. Hence, now is the time that organizations build a comprehensive risk assessment and mitigation processes, procedures, and strategies as a means of survival rather than a good to have feature.
Kiran Joshi – Security Consultant
Audit & Compliance
Varutra Consulting Pvt. Ltd.