[Posted on Behalf of Dennis Leber Cybersecurity Executive | CISO | Board Member | Educator | Speaker | Author ]
I propose an altered view and mindset around risk
I recently read a great post about risk, and often a risk assessment and a risk program is a gap in organizations. This article is a result of reviewing current risk programs and how we address and think about risks.
Here is an example:
THE RISK
A coder does not understand secure coding and creates code that enables SQL injection. The organization does not practice secure coding practices, so the SQL injection is not found or known.
THE IMPACT
The release of a product/application which is insecure and easily hacked which exposes your sensitive data and company to significant financial, reputational, and business loss.
THE PROBABILITY
The Probability of this is high due to criminals are constantly looking to break into your systems. And this particular organization is not monitoring for attacks.
THE RISKS
In current mindsets, the risk is the insecure code and SQL injection. I do not disagree with that and those are areas that require remediation.
The addition to risk consideration that must be incorporated is ensuring that the root cause and underlying factors are included into the risk evaluation. In the example above there is no program, there is no governance, no testing, and the coder did the best they could or knew how to. Until these foundational gaps and risks are addressed; simply stating the resulting risks is only completing half the job of risk assessments.
Therefore; the real risk is the business not doing everything it can to reduce the mistakes, address the lack of skills, not hiring and developing talent, no governance, no or insufficient policies, no programs, and no procedures that reduce creation of findings we list as the risk to our organizations.
Comments