"Cooking is like painting or writing a song. Just as there are only so many notes or colors, there are only so many flavors - it's how you combine them that sets you apart." - Wolfgang Puck
I like this quote as I think it actually can draw comparisons to talented risk analysts.Every risk analysis begins with scoping, a single critical step that many incorrectly perceive as straightforward. In truth, we are not presented with perfect recipes from the business from which to do our work. We are often presented with nothing more than one or two ingredients.
Examples may include:
- The Cloud
- Cyber Criminals
- Bad Passwords
Each of these on their own are nothing more than a concern or issue or control failure. We can’t measure risk yet because a clear scenario from which to derive a frequency and magnitude hasn’t even been defined.
Talented risk analysts have the skills needed to take these ingredients and combine them with other parts to make well-structured scenarios or “complete recipes”.
I prefer doing this via a conversation when I can ask additional questions with the primary stakeholder. These discussions help me identify the other ingredients needed for the recipe.
Example for #1 “The Cloud”
- What is it that worries you about moving this application and its data to the cloud?
- Is it primarily around data privacy or are you more concerned with availability?
- Who are you primarily worried will maliciously access this data?
- I think you can start to see that from similar lines of questions you can form a complete recipe from a single ingredient.
Read next: 3 Risk Identification Questions You Should Be Asking