Assessing Security Risk at the Intersection of Assets, Threats and Vulnerabilities

August 31, 2017

I love it when I go to a conference and the first question asked is, "What keeps you up at night?" Security is always among the first to be named. This open dialog has been going on for at least a decade, which means a lot of people aren't sleeping and need to join a sleep gym!

In all seriousness, what this really means is that companies are still struggling to keep up with security controls and reducing risk. Most still don't know what they don't know. They don’t know how much a breach would cost them, how much data they have, how secure their managed service provider is and the amount of budget they have (or typically don’t have) to secure data.

The first step is to determine what you are protecting, in other words assessing your risk. Your risk is at the intersection of your assets, threats and vulnerabilities.

Know What You’re Protecting

We can’t protect what we don’t know. It’s important to know your assets. Take the time to inventory your assets and develop diagrams that outline where your data is. Also, know whether it’s encrypted. You need to know what you’re protecting against in order to dial down and put the right controls in place.

Know What You’re Protecting Against

The next step is identifying the threats. Do you have old firewalls? Which applications that you use are exposed to the internet? What other tools can we use to protect ourselves?

Know Your Weaknesses

Lastly, you want to reduce and protect against any vulnerabilities that you know about. Yes, unplanned vulnerabilities will still come up – whether it’s a zero-day vulnerability or a vendor identifies a hole that needs to be patched – but it’s important to take the time to assess existing vulnerabilities.

Know What Level of Risk is Tolerable

Many clients want to know how far they need to go to reduce risk. In security and compliance, risk can’t be completely eliminated – some level of risk always remains. Most companies struggle to communicate their level of risk, whether through a qualitative or quantitative calculation to upper management. Or sometimes the budget isn’t there. There are hard decisions that need to be made when trying to minimize risk and how far your organization goes to reduce or manage risk is a business decision.

So, what keeps you up at night?

In my next post, I’ll share tips for determining your risk profile. After that I’ll cover security controls as well as security best practices. Subscribe to this blog to receive notifications when those posts are published.