Newsletter #1: Measuring Risk Is Hard
Welcome to my first email! Super excited to have you on board.
This week, I want to talk about measuring risk and its complexities. It’s a bit of a grey area in the field of infosec: it’s still maturing and HARD to quantify. I’ll try to keep it short as there can be a bunch of rabbit holes.
First of all, let’s talk about the role of a security practitioner in relation to risk. Our job is to convey a complete picture of vulnerabilities or possible vulnerabilities to businesses and stakeholders. There are a couple of components to it:
- Impact: What will be the impact of this vulnerability if it was exploited? Conversely, what’s the impact if it’s not fixed?
- Likelihood: What are the chances this vulnerability can be exploited or taken advantage of? Is there any precedent at the company previously? What about industry trends?
If you distill it down, these are the major items that feed into risk. If you can assess the above in as much detail as possible, you can figure out Business Risk, Reputational Risk, and other risk factors. One caveat, though: these are often point-in-time assessments. We try to do our best to get a complete picture, but things can be missed without being in the trenches, which can either increase or decrease some of the levers above.
There are and can be tons of other factors to take into consideration, such as classification of data affected, the importance of the system in question, industry reputation, and expectations. For example, are you a bank or a small startup with no important data? Keep in mind that these can be subjective, so it will require a team effort.
Ultimately, it’s just our job to COMMUNICATE the complete picture—not just measuring risks. It’s up to the business to accept it or mitigate it at the end of the day.
Ok, I said I would keep this short so I’ll stop here.
Let me know your thoughts. You can always reach me at [email protected].
This article was previously posted in the Newsletter.
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.