MCITP MCSE Boot Camp

Preparing for Success: Setting Expectations

Proper expectation setting cannot be overemphasized. Setting reasonable expectations is critical if the risk assessment is to be successful, because the process requires significant contributions from different groups that possibly represent the entire organization. Furthermore, participants need to agree and understand success factors for their role and the larger process. If even one of these groups does not understand or actively participate, the effectiveness of the entire program may be compromised.

While you build consensus during the planning step, set expectations up front on the roles, responsibilities, and participation levels asked of other stakeholders. You also should share the challenges that the assessment presents. For example, clearly describe the processes of risk identification and prioritization to avoid potential misunderstandings.

Embracing Subjectivity

Business Owners are sometimes nervous when an outside group (in this case, the Information Security Group) predicts possible security risks that may impact fiscal priorities. You can reduce this natural tension by setting expectations about the goals of the risk assessment process and to assure stakeholders that roles and responsibilities will be respected throughout the process. Specifically, the Information Security Group must recognize that Business Owners define the value of business assets. This also means that stakeholders must rely on the Information Security Group's expertise to estimate the probability of threats impacting the organization. Predicting the future is subjective in nature. Business Owners must acknowledge and support the fact that the Information Security Group will use its expertise to estimate probabilities of risks. Call out these relationships early and showcase the credentials, experience, and shared goals of the Information Security Group and Business Owners.

After completing the planning step, articulating roles and responsibilities, and properly setting expectations, you are ready to begin the field work steps of the risk assessment process: facilitated data gathering and risk prioritization. The next two sections detail these steps before moving on in Chapter 5 to discuss the Conducting Decision Support phase.

Facilitated Data Gathering

The overview section of this chapter provides an introduction to the risk assessment process, covering the three primary steps: planning, facilitated data gathering, and risk prioritization. After you complete the planning activities, next you will gather risk data from stakeholders across the organization. You use this information to help identify and ultimately prioritize risks.

This section is organized into three parts. The first describes the data gathering process in detail and focuses on success factors when gathering risk information. The second part explains the detailed steps of gathering risk data through facilitated meetings with technical and non – technical stakeholders. The third part describes the steps to consolidate this compilation of data into a collection of impact statements as described in Chapter 3. To conclude the risk assessment process, this list of impact statements provides the inputs into the prioritization process detailed in the following section.

Data Gathering Keys to Success

You may question the benefit of asking people with no professional experience in security detailed questions about risks related to information technology. Experience conducting risk assessments in Microsoft IT shows that there is tremendous value in asking both technical and non – technical stakeholders for their thoughts regarding risks to organizational assets that they manage. Information security professionals must also gain detailed knowledge of stakeholder concerns to translate information about their environments into prioritized risks. Meeting collaboratively with stakeholders helps them to understand risk in terms that they can comprehend and value. Furthermore, stakeholders either control or influence IT spending. If they do not understand the potential impacts to the organization, the process of allocating resources is much more difficult. Business Owners also drive company culture and influence user behavior. This alone can be a powerful tool when managing risk.

When risks are discovered, the Information Security Group requires stakeholder support in terms of allocating resources and building consensus around risk definition and prioritization. Some Information Security Groups without a proactive risk management program may rely on fear to motivate the organization. This is a short term strategy at best. The Information Security Group must learn to seek the support of the organization if the risk management program is to be sustained over time. The first step to build this support is meeting face-to-face with stakeholders.

Building Support

Business Owners have explicit roles in the risk assessment process. They are responsible for identifying their organizational assets and estimating the costs of potential impacts to those assets. By formalizing this responsibility, the Information Security Group and Business Owners share equally in the success of managing risk. Most information security professionals and non – technical stakeholders do not realize this connection automatically. As the risk management experts, information security professionals must take the initiative to bridge knowledge gaps during risk discussions. As mentioned in the previous chapter, enlisting an executive sponsor who understands the organization makes building this relationship much easier.

Discussing vs. Interrogating

Many security risk management methods require the Information Security Group to ask stakeholders explicit questions and catalog their responses. Examples of this type of questioning are, "Can you please describe your policies to ensure proper segmentation of duties?", and "What is your process for reviewing policies and procedures?" Be aware of the tone and direction of the meeting. A good rule to remember is to focus on open ended questions to help facilitate two way discussions. This also allows stakeholders to communicate the true spirit of answers versus simply telling the Risk Assessment Facilitator what they think he or she wants to hear. The intent of the risk discussion is to understand the organization and its surrounding security risks; it is not to conduct an audit of documented policy. Although non – technical stakeholder input is valuable, it is usually not comprehensive. The Security Risk Management Team — independent of the Business Owner — still needs to research, investigate, and consider all risks for each asset.

Building Goodwill

Information security is a difficult business function because the exercise of reducing risk is often viewed as reducing usability or employee productivity. Use the facilitated discussions as a tool to build an alliance with stakeholders. Legislation, privacy concerns, pressure from competitors, and increased consumer awareness have led executives and Business Decision Makers (BDMs) to recognize that security is a highly important business component. Help stakeholders understand the importance of managing risk and their roles within the larger program. Sometimes relationship building between the Information Security Group and stakeholders is more productive than the actual data collected during the meeting. This is still a small but important victory in the larger risk management effort.