Treat the worst first

The potential for political change after the U.S. presidential election is real, as are the possible consequences of lower oil prices and a Chinese economy struggling to maintain its growth. Physical attacks we witnessed in 2015 were horrific, and cyber breaches continued to shake our confidence in companies that were supposed to keep our personal information secure.

Security professionals need to adapt to these ever-changing risks with (in many cases) smaller budgets and headcounts than in previous years. I haven’t heard a security director yet tell me they have more than enough staff to deal with their projects, initiatives, and day-to-day concerns. As well, the shortage of new entrants into the cyber security profession continues to impact companies across the globe.

 With all the change, how can we continue to efficiently identify risks to our organizations? How can we assess those risks that are most impactful to our companies, and work on recommendations to remediate or at least lower the affect a risk may have on our organization? With the limitations we’re facing in 2016, are there opportunities for us to change?

One approach I’ve previously taken is developing a risk triage process. It’s similar to the approach physicians take with patients entering an emergency room. I borrowed the practice from a good friend of mine who was becoming a doctor, and spent long hours at a busy Toronto ER. The goal of a medical triage process is to assess patients based on the urgency of care, and treat those whose need is most urgent first. If a patient enters the ER with a heart attack, they’ll receive treatment faster than a patient who is concerned they may have a cold.

We can borrow this approach for assessing risks facing our organization. In previous positions, we developed a repeatable triage process for risk assessments, focusing on those initiatives that appeared to pose the greatest risk to the organization. We targeted the majority of our efforts on larger or more risky initiatives, and less time assessing smaller or less risky engagements.

To do this, we incorporated the “two man rule” for the triage process. When a request came into the team for assistance, at least two team members would review the initial request and try to quickly determine if the risks posed by the project were potentially low or high to our environment. This approach wasn’t perfect, and it took a bit of healthy debate to work through that first meeting. The end result was a documented process we could adapt for most situations, and allowed us to be more nimble in our response to the requests that kept coming from the organization. Some assessments were completed quickly, and offered the project team remediation suggestions in a day. Other assessments took more time and resources, but the triage process created the flexibility to spend more time on larger projects because the smaller or less risky engagements were identified and assessed sooner in our review process.

Developing a nimble response to client requests will serve your security team well. If the predictions for 2016 are accurate, we must react quickly to threats facing our organizations. The threat landscape in 2016 appears more dynamic than 2015 with significant changes predicted for the global economy, increased violence from terrorist organizations, and new cyber threats targeting both private and public sector information networks. A risk triage process may help you become that reliable business partner in what is shaping up to be a challenging year.
 
Tim McCreight is director, advisory services at Above Security (www.abovesecurity.com)