Anyone who knows me knows how I feel about traditional “risk assessments” in the #security space.
There is a tendency for folks, especially GRC teams, to focus a lot of time and energy on the methodology: threats, risks and inherent/residual risk ratings, etc.
I think the more important thing should be listing the top priorities to be investing and spending time on as a security team, and why.
The time spent coming up with some arbitrary likelihood and impact scores when teams already know they should be remediating a known issue posing risk to stakeholders always amuses me.
Big or small company I’ve never gotten to the end of a risk assessment and looked back at some revelation or “ah hah” moment. It’s always everyone talking about what we know needed to be done from the start.
What do you think?
I agree about anything that tries to assign likelihoods that can be quantitatively operated.
I think it's useful to specify where we expect boundaries to be (i.e. which "escalations" are escalations that are supposed to be prevented and which are totally fine), and what aspirational assumptions we are making (e.g. that we assume that a particular escalation is going to be fixed, and assume it already is when thinking about things we want to be doing that will only bear fruit in a more distant future).
I've found many cases of mostly wasted effort due to lack of knowledge about where boundaries could be, or due to disagreements about where they are. I've also experienced lots of frustration caused by people's refusal to express these in _very precise_ terms.
@jeffw
I think the most important part of that is agreeing on what escalations are fine. It's both very useful, and there's actually a reasonable discussion to be had: usually the escalations have to be fine, because they are composed of pieces exercised in normal operations, strung together. If we want to declare that not to be fine: which of these do we break up and how?