A long time ago in a galaxy far, far away, an ineffective risk assessment brought down an entire Empire.
It is a period of ever-evolving threats. Hackers, striking in new and advanced ways, have made us all concerned for the future of our organizations.
During the Secure Miami 2023 Conference on May 4th, hosted by DigitalEra Group, and Florida International University, KirkpatrickPrice Founder and President, Joseph Kirkpatrick, managed to present a plan for defending against these great threats, the RISK ASSESSMENT, the only solution to protect against vulnerabilities.
Pursuing a solution of security and confidence against today’s threats, Joseph discussed the importance of risk assessment and management and why an organization’s commitment to both is essential to saving your organization and restoring the freedom of the galaxy…
With new technology and threats arriving on the scene daily, something like risk management can easily fall to the wayside. However, it’s the ancient art of risk management that will help us prepare for the future of cybersecurity. A risk assessment is our trusted weapon against all of the forces we’re constantly facing that are trying to keep us from achieving our compliance goals.
Let’s look at one of the most famous risk management examples ever committed to film, Star Wars: Episode IV – A New Hope, and learn from their mistakes, so your organization doesn’t face similar destruction.
Acknowledging the Problem
Do you struggle getting people involved in the security of your organization? Do you find it difficult to identify the people who need to participate in your risk assessment process? Is your risk assessment process boring and uninspiring? At KirkpatrickPrice, we know that these are real problems your organization is facing because we look at the risk assessment results of our clients.
Maybe your risk assessment is just performed by one person, or the results look suspiciously familiar to the risk assessment results from the last year. Maybe departments don’t know what the risks are or that a risk assessment even takes place. Sometimes, even the board of directors aren’t aware of what is needed for a proper risk assessment.
We believe that the attitude around risk management has to change in the future because the threats we are facing are growing and forcing us to change the way we do risk assessment. We have to make the process more interesting, relate it to our mission, involve more people within the organization, and recruit people from all levels to be on the risk assessment team.
Assembling the Team
Let’s break down the scene:
The man on the right leaning on the table is voicing his opinion that they aren’t doing enough. Their lack of action is causing them to be sitting ducks since the Rebel Alliance has a plan. He thinks that by doing nothing, they are all at risk.
However, the man on the left is in disagreement. He claims that the Death Star is the most dangerous weapon in the galaxy and cannot be destroyed.
The man on the right counters, that they are not even operational, so how can any of them in that meeting claim that there is no risk.
In this scenario, the security officer is Darth Vader. And he interrupts, telling them all that he has a strategy: they are going to recover the plans, find out what the Rebel Alliance has planned, and stop it using the force. Darth Vader is relying on the security control that is his power.
The man on the left is not convinced, though. He reminds Darth Vader that his power didn’t do anything when they didn’t identify where the plans were before. Where was the security control then?
Security officers often like to use language that is mysterious and threatening to control the people in the room. While we hope your security officer’s intentions aren’t nefarious as Darth Vader’s were, the people in the room can sometimes still feel like they are in a force choke.
The security professionals within an organization, or those brought in during an audit, can sometimes be hard to understand and relate to when security and risk are not common topics throughout the organization. Their advanced terminology and knowledge can feel suffocating to other members of the organization. To avoid being seen as the Darth Vaders of the organization, the security officers need to include members from all departments to be a part of the organization’s risk management program. This is an alliance after all.
Security professionals should not be leading an organization’s risk management program. They should have a seat at the table, but the risk management program needs to be facilitated by someone who is creative and respected by the entire team. This may be someone you would not have thought about for this role initially, but there is someone in your organization who will be able to bring people together for the common goal to better the organization. The more people who see the value in a strong risk management strategy, the more successful your organization will be against impending threats.
Security professionals are often too intimidating to the team, so their efforts may not be as effective as someone who is able to facilitate a collaborative conversation. It can be difficult for security professionals to take a step back, but it’s for the best. Just like Anakin, security professionals care a little too much to be relatable at times.
When assembling your risk assessment team, consider who you are including. You need people from HR, sales, marketing, and people from operations. Make sure a high-level executive is also in the room as well as someone who understands the risks that the organization is up against. Include generational diversity as well. Gen Z members of your organization might be able to provide a different understanding and perspective on new solutions or technology that could be incorporated to help mitigate risk. Diversify your risk assessment team as much as possible to ensure you’re preparing for risks of all kinds.
Identifying the Vulnerability
So, what turns out to be the vulnerability in A New Hope?
The Death Star was not invincible like everyone believed. Vulnerabilities can stem from anywhere in the organization. Engineers, designers, or even stormtroopers, could all make mistakes and cause vulnerabilities to arise.
In our example, the vulnerability that the Empire ignored was the thermal exhaust port.
Too many risk assessments focus only on the threats, like a hacker, malicious employee, or vendor error, but fail to connect those threats to their own vulnerabilities. The exhaust port was only two meters wide. Even the smallest threats and vulnerabilities left unchecked can lead to disaster.
For example, phishing attacks are increasingly common and should be considered a threat to any organization. However, simply identifying that phishing is one of the many ways threat actors could hack into an organization’s environment isn’t enough. Instead, an organization could perform a risk assessment to identify how suspicious emails are making their way into employee inboxes and identify if implementing a control like more frequent employee trainings or multifactor authentication (MFA) could be utilized to minimize the threat before it can gain any traction or cause any damage.
Threats are important to consider, but by only focusing on threats that could affect your organization, you’ll be reactive when you should aim to be proactive. When the focus of your risk management strategy shifts to include vulnerabilities, you can adjust your controls to prepare for the threats your organization faces more efficiently. Save time and money by putting in the work now instead of waiting for a breach to occur.
By considering possible vulnerabilities and implementing controls to remediate those vulnerabilities, you’ll be able to quickly adjust your controls for any threats that arise.
Another reason why involving members from every department in your risk management strategy is important is because people need to understand how to respond and adjust when a threat comes onto the scene. It’s important that people understand what needs to happen in a malicious attack so the problem can be resolved before any major damage occurs.
The Death Star had cannons defending against other threats, but when an officer realized that the Rebel fighters were too small for them to be targeted effectively, he went to Darth Vader quickly to report this threat. Darth Vader was then able to make the decision to try to take the Rebel Alliance down one threat at a time. This wasn’t part of the original plan, but they were able to quickly adjust their plan because they had the control in place to do so.
Creating a Supportive Environment
In this scene during the battle, the man on the right is nervous to talk to Grand Moff Tarkin because he’s not sure what his reaction will be when reporting a possible threat. The man informs Grand Moff Tarkin that there is danger from the Rebel Alliance and asks if the crew should ready his ship. Instead of really listening to the man, Grand Moff Tarkin doesn’t listen and dismisses the threat report.
Security professionals have to foster an environment where people can share information or observations no matter how minor it may seem because what seems like nothing at first could end up saving your organization from a major breach in the future.
Because cybersecurity and risk management can feel like intimidating topics for people who aren’t security experts, creating an environment where speaking up is encouraged can help your organization become more secure. Ineffective leaders invalidate the concerns of people on their team, so make sure you’re intentional about asking others about their opinions or observations.
When an employee raises a concern, the nature of the problem may not be immediately evident. Take the time to ask questions about concerns that are brought to your attention to better identify the true root of the problem or vulnerability. Because even if an employee does not have the cybersecurity understanding to highlight the exact issue, they will be able to let you know when something isn’t functioning correctly.
Focus on the Mission
A successful risk assessment process is connected to an organization’s mission. What is your organization striving to accomplish? What is standing in the way of that goal? Relating risk management to a common goal that everyone in your organization is already working towards is a great strategy to create security champions throughout the entire company.
In our example, the organization’s mission was to dominate the galaxy. We know that your organization is working towards a more noble goal, but the only way you can make sure your organization stays on track to fulfill your mission is by properly focusing on a risk assessment process.
Not only do you want members from all departments involved in your risk management process but you also want the board’s support. Security needs to be a top-down initiative in every organization. Sometimes getting the board to care about security when they have other daily priorities can be a challenge. By connecting the security of the organization to the organization’s ability to carry out their mission, the importance of risk management will become clear. Without proper risk management, your organization becomes susceptible to attacks that could cost you thousands, if not millions, of dollars and plant a seed of distrust amongst your clients, making it impossible for you to follow through on your mission. Once these larger ramifications are brought to the attention of your board and C-level executives, the importance of a solid risk management process is undeniable.
At the end of the day, know that everyone in the organization plays an important role, no matter how big or small, in the overall security and success of the organization. Treat everyone like they are important to the cause, because they are!
Towards the end of the movie, there’s a scene when Luke comes back from destroying the Death Star. As Luke climbs out of his ship, we see a man bring over a ladder. After Luke comes down the ladder, he slaps the man who provided the ladder to bring him into the victory celebration. Remember, even the seemingly least impactful people can play a role in the success of the mission.
Spend time training and educating your team to strengthen your organization’s security culture. By prioritizing risk management within your organization, you’ll avoid falling victim to the Dark Side.
Disclaimer: This blog post is a sponsored content piece highlighting the key takeaways from Secure Miami 2023 Conference, which was hosted by DigitalEra Group and Florida International University. The content of this post has been published by Kirkpatrick Price and the original blog post can be referenced here: https://kirkpatrickprice.com/blog/risk-assessment/lessons-from-the-galaxy-and-a-new-hope-for-our-future-a-look-into-risk-management-from-secure-miami/.
We would like to express our gratitude to Kirkpatrick Price for their support in producing this informative recap.
DigitalEra is your trusted security advisor that provides best-in-class solutions with Next Gen technologies and managed services to companies and Governments throughout the US, Latin America, and the Caribbean. Our deep technical knowledge, industry-leading certifications, and proven experience allow us to better understand our customers’ needs and provide innovative solutions. We are passionate about protecting our customers. We offer peace of mind by safeguarding organizations from Cybersecurity risks and enable our customers to accelerate growth and focus on their operations. For more information. For more information, visit:www.digitaleragroup.com.
About Kirkpatrick Price
At KirkpatrickPrice, we want to make sure your audit is worth it.
KirkpatrickPrice is an information security auditing firm whose goal is to make sure you are secure and compliant with whatever industry standards or customer demands you are facing. We want to partner with you and empower you to reach your challenging compliance goals so you can achieve assurance that your business is operating as you intended: securely and effectively.
As a licensed CPA firm, PCI QSA, and HITRUST CSF Assessor, we most commonly perform SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, GDPR, ISO 27001, and FISMA audits, as well as penetration testing.