[00:00:20.340] – Jason Pufahl
Our resident risk assessment and maybe NIST standards expert, I’d say. So today, we’re going to really focus the conversation around doing risk assessments, trying to understand a little bit better the distinction, say, between risk assessments broadly for information systems, maybe, versus those that might be more broader institutional risks, perhaps. Spend a little bit of time about, really, the drivers why you should do these, maybe emphasizing not to overblow them.
[00:00:55.190] – Jason Pufahl
Carrie, can you just start and talk a little bit about, say, what a risk assessment is and maybe, in comparison to some of the things that people are used to in this space?
[00:01:05.030] – Carrie Bonin
Risk assessment is basically your company sitting down and looking at what could potentially be a business loss or a loss of business. I think it’s a very valuable exercise for any organization, because going into any problems, knowing in advance, you have some way to deal with threats is always helpful. For example, the pandemic, if you had that, or a shutdown procedure in place, or have done a risk assessment based on shutdown, you may have gone into the pandemic a little bit better than the rest of general business.
[00:01:44.080] – Jason Pufahl
So, it’s interesting that you bring up the pandemic right away because a lot of times that we’re engaged in some risk assessment work. I find that a common question is, “Well, what are we planning for? What type of risk are we thinking about?” And if you brought a pandemic, I don’t know, 48 months ago, I think people would say, “Well, the last pandemic was the bubonic plague. How big a risk is it? Is it something we really need to be thinking about?”
[00:02:13.720] – Jason Pufahl
So, I think it’s really interesting to me that you bring that up because it clearly is important to think broadly about those things that might impact your business. And, I guess my question is when you’re approaching this, we’re generally in that technology space, so we tend to focus more on technology risk, how much do you interleave these business risks or the employee risks into the discussions you have?
[00:02:37.850] – Carrie Bonin
I think it’s a major part of any risk assessment is not only employees, natural disasters, environmental, physical, accidental. When you’re talking about risk, you really want to narrow down to…well, I shouldn’t say narrow…get down to what could potentially cause that loss of business. And it could be anything from a broken water main pipe. That’s not something your IT department is considering when they’re talking about risks. And I think if you get the heads of all your departments together, you’ll find that there’s a lot of risks that you haven’t addressed yet.
[00:03:22.370] – Steve Maresca
It depends on the part of the organization that’s thinking about it, too. HR thinks about it in terms of human capital; of course, finance thinks of it in terms of revenue disruptions to business due to audit findings related to financial handling. And more generally, legal might think of it in terms of liability. The landscape is really broad. And they all are married at the core where it’s about what might harm the business reputationally or in terms of revenue at the end of the day.
[00:03:59.240] – Carrie Bonin
And to get to those risks, you really want to take into consideration your threat and your vulnerability. So, what is the threat and how likely is it to happen? And that’s going to come up with the risks that you are going to then have to act on based on how high that risk is for your organization.
[00:04:22.380] – Jason Pufahl
So how do you track this? So, it’s interesting. Part of the other discussion that we had as we were planning for the podcast a little bit was, let’s make sure that we convey to people that this doesn’t have to be an onerous process. And as we talk about it here, where we’re talking about natural disasters, we’re talking about IT risks, we’re talking about all those maybe common or less common events that might impact the business, how do you scope it so that you don’t just end up too far afield in some of these discussions, or make it feel like it has to be this weekly event that you’re trying to cover?
[00:04:58.930] – Carrie Bonin
It definitely doesn’t have to be weekly, and it doesn’t have to be that intensive. It can be a couple of hours; you would sit down with your organization and decide the methodology you’re going to use. And then focus on what are some of the biggest risks. Maybe go by department and say, “Okay, what is your largest concern? What keeps you up at night? What is your thoughts on a potential risk to our business?”
[00:05:28.110] – Steve Maresca
I think of it as also in terms of perception as well, because it’s not entirely internally focused; though, risk assessments are naturally biased in that fashion. If a service organization is thinking about risks, it may simply be relative to perceived risks from external entities, regulating bodies, and similar. So, getting ahead of those components, even if they’re not necessarily internally identified risk, is also part of the conversation.
[00:06:02.830] – Jason Pufahl
I think we all can agree that a risk assessment is good for every company. But certainly, some are probably required by some regulation, perhaps, to have one. I would imagine there’s probably degrees of a risk assessment that you might consider based on the type of client or maybe those things that you’d be compelled to do.
[00:06:25.390] – Carrie Bonin
You should. There’s multiple types of risk assessments. If you have one based on a framework, many of the frameworks now require risk assessment against those controls as part of being compliant with that framework. Other regulatory, federal regulations, based on what type of business you’re in, may require a risk assessment, again, specified towards that regulation and the information or type of business you’re doing.
[00:07:02.990] – Carrie Bonin
But in general, I don’t think, for everyday users that don’t have these regulatory requirements, it can be a much smaller process. It doesn’t have to be this huge exercise. It can be something smaller where they just sit down and say, “Okay, let’s talk about maybe the top 10 risks that we feel are a potential for our business that we could potentially have a loss of business out of.”
[00:07:37.950] – Jason Pufahl
So, ultimately, don’t bury your head in the sand, even if you’re not required to do it. Think through some of these things that are going to be most likely or most impactful and try to figure out how to deal with mitigating them in some reasonable way. There’s always a cost component to that.
[00:07:53.140] – Steve Maresca
I want to emphasize one of the points that Carrie made earlier, which is the fact that internal conversation is necessary within an organization. There might be risks that are presumed to be non-issues, which, when actually get discussed become big issues. A silly example could be loss of power in an IT context. Maybe it’s expected that a building with all of the servers in it has sufficient generating capacity to keep everything up and running?
[00:08:23.210] – Steve Maresca
But that may not be true. It’s just a belief that it’s happening, or maybe there’s a line item to maintain generators. But if it’s not being tested; if it’s not being validated. If you don’t know for sure, then it’s a potential impact to business. And those conversations internally help to ferret out those realities versus believed risks.
[00:08:47.510] – Carrie Bonin
Another good example would be a floodplain. How many of you know whether your office is located in a floodplain? I don’t.
[00:08:55.620] – Jason Pufahl
[00:08:56.290] – Carrie Bonin
Unless you go and have that conversation with the town or your landlord or business owner, how would you know if you’re in a floodplain? Are your servers all on the first floor? Are they all within one foot off the ground? Are you going to have a problem when that 100-year flood comes through your area? Other ones are lightning strikes, for an example. I had a customer who got struck by lightning. So, okay, we’re going to include this in our risk assessment going forward. But their theory was the probability of it happening again is probably very small.
[00:09:38.280] – Steve Maresca
[00:09:38.630] – Jason Pufahl
I need to tease that out for a second, though. So, you had a customer whose building got struck by lightning or the individual got struck?
[00:09:44.250] – Carrie Bonin
No, I’m sorry. The building got struck by lightning. Not the individual.
[00:09:49.070] – Jason Pufahl
So I was thinking, that’s rough. So, in that case, it was the building, not the person?
[00:09:54.310] – Carrie Bonin
Not the person. Excuse me.
[00:09:55.110] – Jason Pufahl
Okay. That’s a relief.
[00:09:57.350] – Carrie Bonin
The building was struck by lightning.
[00:09:59.590] – Jason Pufahl
I guess in a lot of ways, that’s two ways of thinking about risk, right?
[00:10:02.740] – Carrie Bonin
[00:10:02.740] – Jason Pufahl
One is less likely than the other. But I suppose it’s a possibility.
[00:10:06.170] – Carrie Bonin
Well, and they figured this would happen. How many times does a business get struck by lightning?
[00:10:11.710] – Jason Pufahl
Right. Well, lightning never strikes the same place twice. So now they’ve solved it.
[00:10:16.020] – Carrie Bonin
That is proven incorrect. They ended up having two lightning strikes the following year.
[00:10:21.380] – Jason Pufahl
[00:10:21.380] – Carrie Bonin
And it became a much more likely scenario and a larger risk that they had to address.
[00:10:28.070] – Jason Pufahl
That’s interesting. That’s funny. I mean, you just wouldn’t think like that because that’s one of those reasonably obscure or those low-likelihood things, I suppose, that in that case maybe, for whatever reason, is a higher likelihood. We had discussions with one of our clients that I know was really concerned about being able to pay key vendors in the event of some sort of an IT outage. And their solution was to buy an old-school typewriter to be able to print checks.
[00:10:58.810] – Jason Pufahl
And I bring that up primarily because I think I want to emphasize that just because you have a risk, doesn’t mean that there has to be a complicated solution to mitigating or dealing with it. There’s a variety of ways to address these things, and some of them can be a $200 typewriter.
[00:11:15.230] – Carrie Bonin
Or an extra set of locks. It doesn’t have to be an expensive thing. There are ways to mitigate risks that are fairly inexpensive.
[00:11:25.030] – Steve Maresca
I think this is a reasonable segue into simply itemizing risks so that you can plan reasonably for them. To your point, it doesn’t need to be particularly involved to remediate or to mitigate a problem. But we think of that in terms of risk tracking; we create risk registers to document risks that have been identified, to prioritize them organizationally for funds, to rank them in terms of relative severity, and overall, document decisions made regarding those risks. It’s a more nuanced part of the discussion. And when we talk about risk registers, I think some people shudder a little bit and wonder what kind of level of effort that might mean. But I do want to say, just a spreadsheet is reasonable.
[00:12:12.890] – Carrie Bonin
Every organization is different. What works for your organization may not work for the next organization. So, it doesn’t have to be to a specific standard, as long as it’s understood within your organization.
[00:12:24.060] – Steve Maresca
[00:12:25.920] – Jason Pufahl
And you don’t have to deal with every risk. You could accept some of these risks, for sure. I think for each risk, there’s a decision that goes along with it. You’re going to address it, you got to maybe kick it down the road a little bit and deal with in the future, or just accept it all together, perhaps.
[00:12:42.910] – Carrie Bonin
Well, generally, you want to take the threat and the vulnerability and graph it out as far as which ones are really the ones we need to focus on. So, you don’t want to focus on every single threat that your organization came up with. You want to focus on the ones that are going to cause the most damage, that are going to cause the most business loss, financially or production—however you deem this needs to be judged by. And then you sit down and decide what your budget allows to address: what can be addressed, as you said, easily and what maybe is going to take a little bit more budgetary planning to adhere to.
[00:13:30.000] – Steve Maresca
And the flip side of that is what tolerance organizationally exists for certain risks to remain in place, because the capital outlay might be rather substantial; you may need to replace a legacy system that you have for providing software. You name it. But retaining it is critical for the current business. Perhaps you can do so safely; therefore, you’ll tolerate it until it’s a larger problem and passing a threshold. It just means reasonable forethought applied to risks that have been identified so that you can refer back to those decisions made in the past and change as needed.
[00:14:10.430] – Carrie Bonin
Going back to the lightning strike company, the first year, they were like, “All right, well, this was a risk we didn’t see coming. But we’ve had to replace several systems, and now we’re back up and running. I don’t think we need to address this as a vulnerability because lightning doesn’t strike twice.” Well, in fact, it does. So, it was one that they accepted the first year. Second, and then again, the third year it became a little bit more of a focus. And this is no longer something we can accept. So, it changes year-to-year.
[00:14:42.840] – Jason Pufahl
And I think it does speak to the imperfection of the process. You do the best you can with the information you have, and if that information changes, for some reason, you get struck by lightning that second time, you re-evaluate. And it might raise in severity or criticality.
[00:14:58.550] – Steve Maresca
I think where the tone on the conversation changes is if there are third parties making demands of an organization to meet a certain level of risk or to resolve certain risks. And that’s very common when we’re dealing with banking when we’re dealing with organizations that need to process credit cards, that have regulated data in some capacity. I think the important thing to remember is that generally speaking, long as there’s a plan and you stick to your plan, there’s really no ambiguity or urgency aside from that which was effectively selected by the organization to pursue.
[00:15:36.330] – Carrie Bonin
[00:15:36.890] – Steve Maresca
There’s a lot of anxiety associated with those externally driven risk assessments. And I think that the main thing to keep in mind is that make a plan, you stick to the plan, and there’s not much hot water you can get into.
[00:15:52.840] – Jason Pufahl
I feel like we have seen a variety of instances where somebody doesn’t want to see that you are negligent. And as long as you did go through the process of doing a risk assessment, or trying to adhere to a standard and really outlining what your remediation path was going to be, so your due diligence— that’s what people want to see. Clearly, they don’t want you to set up your risks for 10 years. But there needs to be at least a recognition that from a budget standpoint, you might not get to everything for a period of time.
[00:16:24.200] – Steve Maresca
If I’m doing crisis communications and there’s a problem that’s related to a risk, I want to be able to say, “Look, we identified this six months ago. We have a plan to remediate it. This plan has been advanced due to the problem that is related to the crisis at hand-”
[00:16:40.540] – Jason Pufahl
But we knew about it.
[00:16:40.540] – Steve Maresca
“… But we knew about it and we’re acting to resolve it.” It’s a far better story than having to say, “It’s a brand-new problem we didn’t know about.”
[00:16:48.610] – Jason Pufahl
Or we never thought about it before.
[00:16:49.890] – Steve Maresca
[00:16:49.960] – Carrie Bonin
Right. Going back to the pandemic, I think a lot of companies ran into that saying, “Oh, we didn’t actually plan for this to happen.”
[00:16:59.580] – Jason Pufahl
So, there’s remote work for us, or whatever the case might be.
[00:17:02.290] – Carrie Bonin
But if you’re doing that risk assessment, you should be able to pull out, what if the system goes down and everybody has to be remote? That should have been a risk that you guys looked at, to begin with.
[00:17:15.040] – Jason Pufahl
I worked for an organization where we had a pandemic license for our VPN that we carried for probably 10 years. And basically, you just paid for the privilege of increasing your user account for a lower cost when the time comes. So, you’re buying insurance in a way. And I think we carried that for 10 years before finally, we’re like, “Well, we never use this.” We’re probably still going back eight or so years, so I don’t know. But it’s just interesting, the things that maybe seemed important that after a while, they say, “Well, the likelihood of this happening is pretty low. I think we’ll just stop spending this money.” And there you go.
[00:17:56.160] – Carrie Bonin
And that’s another thing that should come out of your risk assessments, is how vulnerable, how likely is this going to happen? And that will change where that falls in your priorities. If it’s a lower likelihood that it’s going to happen, maybe that drops down a little bit. If it’s zero likelihood, then, yay, that comes completely off. But a pandemic was lower on everybody’s likelihood register.
[00:18:26.550] – Jason Pufahl
For sure. And it could be high likelihood, cost you a million dollars to fix, but potentially result in $50,000 worth of business loss. There’s that equation as well, which is sure, this is likely to happen, but to address it is going to cost way more than the impact ever would be, so we’re just going to accept it, which is totally reasonable.
[00:18:51.760] – Carrie Bonin
And with all risk assessments, that is one of the options. You can just accept it. It’s totally up to your organization as what your threat tolerance is.
[00:19:04.540] – Jason Pufahl
I feel like we touched pretty much in everything that we want to. The takeaway that I think we really wanted to make sure we drove home was every organization should do a risk assessment. And it doesn’t have to be run by an external entity. I think in some cases, there might be good reason for that. If you have a regulatory requirement, of course, I think there’s some good sense to that, if you just want somebody who’s done it formally and can help your organization walk through it. But even at its most basic, sitting down for a couple of hours, to your point, Carrie, and just talking about those things that might impact your business, it’s a good practice to do. Any final points that you want to make before we look to close up?
[00:19:48.150] – Carrie Bonin
Other than, I don’t know if we discussed it, but the types of risks that you want to look at, really, don’t limit them to your IT department, to the malicious actor. That just is not realistic. You also have accidental human involvement, environmental, physical, security. You got to look at all of the risks.
[00:20:13.230] – Jason Pufahl
Right. And at the end, balance them against each other.
[00:20:16.170] – Steve Maresca
I’ve seen umbrellas in data centers before. And I think that underscores your point in a silly way.
[00:20:24.930] – Carrie Bonin
[00:20:25.000] – Jason Pufahl
It does. We’ve seen umbrellas in data centers, for sure. Data centers tend not to get the best real estate. Let’s face it.
[00:20:33.210] – Carrie Bonin
No. Actually, there was one other customer that had a building. It was an old house that they turned into an office building. And they had used what was originally for what I would imagine would have been the coat closet for the house, turned into their server room. So, when you walked in the door, the first door in front of you was the server room, and quite often left open. And then you turn to look at the receptionist who was not always at her desk. If you’re looking at something like that, your risk is somebody actually coming in and walking away with your server.
[00:21:08.700] – Jason Pufahl
[00:21:10.040] – Carrie Bonin
And the vulnerability is kind of high if the door is open and it’s the first thing you see direct path outside. Those are the type of things you really need to consider.
[00:21:20.290] – Jason Pufahl
I think that underscores that common philosophy of IT just needs to work. It doesn’t have to be pretty. In a lot of cases, I think people don’t think it has to be secure. They want to leave it alone because it feels fragile and tenuous. We see it all the time, places where janitors, closets double up as a server farm, huge fiber conduits running alongside of air vents to the outside. When you look critically, there’s risks all over the place. Whether you need to deal with them or not, it’s a whole different story. But looking and cataloging them is always important.
[00:22:00.100] – Jason Pufahl
So, on that, I think our advice is follow through on a risk assessment internally, get external support. The justification is there. If you’ve got any comments on ways that you’ve done risk assessments internally successfully, we’d love to hear them. Feel free to reach out to us at Vancord on LinkedIn, or VancordSecurity at Twitter. We’re always happy to have a conversation following this. And as always, we hope you get some value out of this. Steve, Carrie, thanks for joining today. And everybody, have a good day.
[00:22:33.750] – Speaker 1
Stay vigilant. Stay resilient. This has been CyberSound.