This may not come as a shock, but a big part of what a risk analyst does is analyzing the issues that an organization is concerned with occurring.
The analysis part of the job spans an entire process, but a critical part involves first finding those things that are worth conducting a risk analysis over.
This really boils down to the scenarios, or loss events that are at the genesis of the risk analysis process.
And it’s here that I’ve noticed that many analysts struggle:
- They don’t seem to have a good understanding of what IT/cybersecurity events the organization is concerned with.
- For those critical assets that could be the star feature of an analysis, they really aren’t sure of the most probable attack vectors.
Both of which make developing viable risk scenarios exceptionally difficult.
So, what’s the root cause of this?
I’m sure that there are a variety reasons for why this is the case, but speaking from my own experience, the largest culprit seems to be a lack of interaction and poor communication with those in the know.
It almost sounds too basic, but that unfortunate effect of “siloing”, where departments almost exclusively stick to themselves, only venturing outside of their silo when forced to, leads to limited information sharing. To me, this is a death sentence to coming up with viable scenarios to analyze.
Like that cool kid in high school, who inexplicably could traverse among groups unscathed, a good risk analyst does the same between silos to gather information that would make for good scenarios.
Whom to reach out to?
Although there are others, for the purpose of this post I’ll focus on two groups:
- IT/Cybersecurity: Members of IT or Cybersecurity are excellent sources for historical events. They would know what has happened in the past, how it happened, and are likely to be your source for understanding whether it is likely to happen again. They are also great sources of “near misses”, for example, when someone has made it on the network, but was caught before a loss occurred. All of their insight would make for fantastic scenarios.
- The Business: It’s almost assured that the risk analyst team has a limited understanding of the business, not to mention the various processes in place, and which critical IT assets help to facilitate those processes. By taking the time to listen to the business, and gain a better understanding of what they do and how they do it, the risk analyst team understands from the business’ perspective what’s really important, along with what events could severely impact them. Beyond just being great scenarios to analyze, the risk analyst team develops a relationship with the business that will continue to pay off in the future.
As I mentioned above, there are absolutely other departments that can serve as excellent sources for viable risk scenarios to analyze. Don’t be afraid to leave your silo and venture out.