Preparing for Success: Setting Expectations
Proper expectation setting cannot be overemphasized. Setting reasonable
expectations is critical if the risk assessment is to be successful, because the
process requires significant contributions from different groups that possibly
represent the entire organization. Furthermore, participants need to agree and
understand success factors for their role and the larger process. If even one of
these groups does not understand or actively participate, the effectiveness of
the entire program may be compromised.
While you build consensus during the planning step, set expectations up front
on the roles, responsibilities, and participation levels asked of other
stakeholders. You also should share the challenges that the assessment presents.
For example, clearly describe the processes of risk identification and
prioritization to avoid potential misunderstandings.
Embracing Subjectivity
Business Owners are sometimes nervous when an outside group (in this case,
the Information Security Group) predicts possible security risks that may impact
fiscal priorities. You can reduce this natural tension by setting expectations
about the goals of the risk assessment process and to assure stakeholders that
roles and responsibilities will be respected throughout the process.
Specifically, the Information Security Group must recognize that Business Owners
define the value of business assets. This also means that stakeholders must rely
on the Information Security Group's expertise to estimate the probability of
threats impacting the organization. Predicting the future is subjective in
nature. Business Owners must acknowledge and support the fact that the
Information Security Group will use its expertise to estimate probabilities of
risks. Call out these relationships early and showcase the credentials,
experience, and shared goals of the Information Security Group and Business
Owners.
After completing the planning step, articulating roles and responsibilities,
and properly setting expectations, you are ready to begin the field work steps
of the risk assessment process: facilitated data gathering and risk
prioritization. The next two sections detail these steps before moving on in
Chapter 5 to discuss the Conducting Decision Support phase.
Facilitated Data Gathering
The overview section of this chapter provides an introduction to the risk
assessment process, covering the three primary steps: planning, facilitated data
gathering, and risk prioritization. After you complete the planning activities,
next you will gather risk data from stakeholders across the organization. You
use this information to help identify and ultimately prioritize risks.
This section is organized into three parts. The first describes the data
gathering process in detail and focuses on success factors when gathering risk
information. The second part explains the detailed steps of gathering risk data
through facilitated meetings with technical and non – technical stakeholders.
The third part describes the steps to consolidate this compilation of data into
a collection of impact statements as described in Chapter 3. To conclude the
risk assessment process, this list of impact statements provides the inputs into
the prioritization process detailed in the following section.
Data Gathering Keys to Success
You may question the benefit of asking people with no professional experience
in security detailed questions about risks related to information technology.
Experience conducting risk assessments in Microsoft IT shows that there is
tremendous value in asking both technical and non – technical stakeholders for
their thoughts regarding risks to organizational assets that they manage.
Information security professionals must also gain detailed knowledge of
stakeholder concerns to translate information about their environments into
prioritized risks. Meeting collaboratively with stakeholders helps them to
understand risk in terms that they can comprehend and value. Furthermore,
stakeholders either control or influence IT spending. If they do not understand
the potential impacts to the organization, the process of allocating resources
is much more difficult. Business Owners also drive company culture and influence
user behavior. This alone can be a powerful tool when managing risk.
When risks are discovered, the Information Security Group requires
stakeholder support in terms of allocating resources and building consensus
around risk definition and prioritization. Some Information Security Groups
without a proactive risk management program may rely on fear to motivate the
organization. This is a short term strategy at best. The Information Security
Group must learn to seek the support of the organization if the risk management
program is to be sustained over time. The first step to build this support is
meeting face-to-face with stakeholders.
Building Support
Business Owners have explicit roles in the risk assessment process. They are
responsible for identifying their organizational assets and estimating the costs
of potential impacts to those assets. By formalizing this responsibility, the
Information Security Group and Business Owners share equally in the success of
managing risk. Most information security professionals and non – technical
stakeholders do not realize this connection automatically. As the risk
management experts, information security professionals must take the initiative
to bridge knowledge gaps during risk discussions. As mentioned in the previous
chapter, enlisting an executive sponsor who understands the organization makes
building this relationship much easier.
Discussing vs. Interrogating
Many security risk management methods require the Information Security Group
to ask stakeholders explicit questions and catalog their responses. Examples of
this type of questioning are, "Can you please describe your policies to ensure
proper segmentation of duties?", and "What is your process for reviewing
policies and procedures?" Be aware of the tone and direction of the meeting. A
good rule to remember is to focus on open ended questions to help facilitate two
way discussions. This also allows stakeholders to communicate the true spirit of
answers versus simply telling the Risk Assessment Facilitator what they think he
or she wants to hear. The intent of the risk discussion is to understand the
organization and its surrounding security risks; it is not to conduct an audit
of documented policy. Although non – technical stakeholder input is valuable, it
is usually not comprehensive. The Security Risk Management Team — independent of
the Business Owner — still needs to research, investigate, and consider all
risks for each asset.
Building Goodwill
Information security is a difficult business function because the exercise of
reducing risk is often viewed as reducing usability or employee productivity.
Use the facilitated discussions as a tool to build an alliance with
stakeholders. Legislation, privacy concerns, pressure from competitors, and
increased consumer awareness have led executives and Business Decision Makers (BDMs)
to recognize that security is a highly important business component. Help
stakeholders understand the importance of managing risk and their roles within
the larger program. Sometimes relationship building between the Information
Security Group and stakeholders is more productive than the actual data
collected during the meeting. This is still a small but important victory in the
larger risk management effort.
|
No Prestudy