"Let's not forget that it's you and me vs. the problem...NOT you vs. me."
Whether addressing new business opportunities, visualizing risks on existing processes and assets, or other reasons, security and assessments leaders must take a prominent yet supportive role when it comes to cybersecurity issues.
Specifically, assessment teams must be seen as trusted partners to support the organization and provide recommendations to leadership and stakeholders on cybersecurity by delivering value instead of slowing the organization down.
It is important to communicate all options explored for mitigation including pros, cons, cost, and resources. The assessment leader should be a supporting partner to the product owner by adding details or clarification as neede
The assessments are great opportunities for security teams to engage in business conversations with product owners and stakeholders on issues, such as risk management, not related specifically to security controls. They also create a forum for security leaders and their team to build relationships and collaborate.
Here are some suggestions for leading and facilitating risk assessments that will help security leaders(and team) become a trusted partner:
• Communicate the goal, timelines, deliverables, and expectation of the risk assessment early so all stakeholders understand "the why, what, how, and when" and support the effort.
• The team should be a facilitator, not a "dictator".
• Everyone's voice is important. Help people feel comfortable and engaged.
• This is not the time to jump the gun and start pointing out gaps, deficiencies, etc. They will surface naturally and should be discussed. Understand that some may be remediated, and some may not.
• If one is available, leverage the security reference architecture to identify patterns and compensating controls available that can lower the Residual Risk.
• Encourage creativity and collaboration to help the team identify mitigating controls.
• When assessing and suggesting mitigation controls make sure that the teams' input is accounted for in terms of resource availability, budget, time and effort.
]• Encourage the team to explore different options that can be presented to stakeholder and decision makers.
• Show empathy. The delivery teams are usually busy, and the mitigation controls may be challenging or unpopular and they usually carry additional unplanned work for the delivery team.
• Help the team deliver a mitigation planroadmap. It is not wise to expect that all controls be implemented before launching an initiative or delivering goods or services. Instead, try to deliver controls incrementally based on risk.
• Continue to keep the team informed on progress on the key actions that were defined and scheduled through completion.
Once the assessment and all artifacts are completed issue the recommendation to the assessment participants which are list below. Make sure that the team is in agreement that these are all options.
• Accept risk with the residual risk rating as is (or not enough controls recommended)
• Mitigate risk by implementing mitigating controls.
• Not move forward with the initiative may be a valid option too. You'd have to deliver a business justification, like with any recommendation.
Once there is agreement and a recommendation, bring the assessing team together to deliver it to product owners and stakeholders. This is another opportunity for the security team to collaborate and build relationships. When delivering the recommendation, let the product owner take the lead and state the opportunity at hand and even start the conversation about risk identified in the best consumable form to your culture (i.e. slides, spreadsheet, etc.).
It is important to communicate all options explored for mitigation including pros, cons, cost, and resources. The assessment leader should be a supporting partner to the product owner by adding details or clarification as needed. Another way to do this is to define the role of each team member for the delivery of the results. It is important that all participants have an opportunity to opine before asking the stakeholders to decide how to treat the risk presented.
Be prepared for some negotiation, compromise and come to an agreement on certain areas that may or may not be part of the recommendation. It is important that leaders are objective and keep an open mind while encouraging everyone involved to do the same in order to deliver a business solution that adds value to the organization.
Nobody in the meeting should make things personal. Help all involved parties understand that sometimes difficult decisions need to be made for the best interest of the business. This is important because many security folks get frustrated when their recommendations are not followed or risk is accepted, but again, the goal of the security leader is to lead a conversation and decision that weights opportunity vs. risk, not "issue vs. security". Likewise, the product owners and stakeholders may get frustrated if the security team is not willing to negotiate. Remember, as a security leader, you are trying to build a partnership.
Approaching risk assessments objectively, collaboratively, and open minded will lead to more educated decision making which ultimately will translate into value delivered by the security team, better relationships across the business, trusted partnerships, and credibility for the program