Anyone who knows me knows how I feel about traditional “risk assessments” in the #security space.
There is a tendency for folks, especially GRC teams, to focus a lot of time and energy on the methodology: threats, risks and inherent/residual risk ratings, etc.
I think the more important thing should be listing the top priorities to be investing and spending time on as a security team, and why.
The time spent coming up with some arbitrary likelihood and impact scores when teams already know they should be remediating a known issue posing risk to stakeholders always amuses me.
Big or small company I’ve never gotten to the end of a risk assessment and looked back at some revelation or “ah hah” moment. It’s always everyone talking about what we know needed to be done from the start.
What do you think?
I think the most important part of that is agreeing on what escalations are fine. It's both very useful, and there's actually a reasonable discussion to be had: usually the escalations have to be fine, because they are composed of pieces exercised in normal operations, strung together. If we want to declare that not to be fine: which of these do we break up and how?