What came first, the chicken or the risk assessment?

What came first, the chicken or the risk assessment?



If you compare regulatory guidance on cybersecurity risk assessment to the history of information security in the financial industry, there is a good bit of irony. According to pretty much every security standard or regulation that I know of, including the FFIEC, the risk assessment is supposed to dictate every aspect of the cybersecurity program, including the IT Audit plan. As you may know IT Audits have been in full swing for many years. To an extent that ‘audit’ has become a four-letter word to many IT professionals in the industry. Risk assessment, however, has always been lingering just around the corner. It has never really been understood, never really fit in properly, and its inclusion in regulatory IT exams is sporadic.

This article has very little to do with chickens of course, as the title would suggest. But the often repeated question about chickens vs eggs seemed to sum up the article very well. (and hopefully gave somebody a chuckle today)

In our industry and many others, IT Audit came first. The process of performing an independent review of security controls—either by an internal audit department or outsourced to an IT Audit firm—is well defined and a regular item in most annual budgets. Examiners, in most cases, expect the institution to have a third-party audit performed on key controls every year.

Risk assessment has been mentioned for years in FFIEC guidance. If you follow the trail far enough you’ll even stumble upon references to NIST 800-30, which was one of the first official guides for performing an IT risk assessment. What has always been lacking, however, is a thorough understanding of how to perform a risk assessment and what to do with the results. Without a good process to follow, it is difficult to fully digest the goals, intent, and purpose of the risk assessment.

This is unfortunate because the risk assessment should come first.

This slightly mixed up chronology in our industry still causes problems when reporting risk assessment results. The risk assessment is supposed to be a decision-making tool for the organization. There is always more you can do to reduce risk but if you try to put every control in place you’ll bankrupt your organization aiming for perfect security. The key is knowing which controls to have in place. This is the purpose of the risk assessment. It isn’t supposed to look like an audit report or simply a control gap analysis.

Ideally you can spend the time performing the risk assessment to understand what your key controls are, and use the results to build your audit plan around.

If you haven’t found a good process to form your risk assessment into a decision-making tool, you may be interested in our Financial Institution Cybersecurity Risk Assessment Template. Due to the complexities involved in performing risk assessments, we didn’t want to just blast out an Excel file. So the template comes as part of a free e-Course that you can register for.

Happy risk assessing!