Hitachi Group Global Network




Middle East and Africa



Risk Management: Mistakes and Lesson Learned
You are here: Home \ Security Practices \ Risk Management: Mistakes and Lesson Learned
Don't Risk Reputation
Posted on Tuesday, May 17th, 2016 by
This article was originally published in Canadian Security Magazine, in the March/April 2016 edition.


Risk Assessment Mistakes: If You Rush, Your Reputation Will Fall

As an organization matures its risk management program, opportunities arise to identify controls that satisfy a number of similarly themed risks.  The benefit of searching through a library of risk assessments becomes immediately evident when you review not only the risks, but also the recommendations and remediation plans.


Finding Time: The Key to Quality

Security professionals are like other busy personnel – we complete our assignments, fight the (many) organizational fires that occur on a daily basis, and assess our progress against milestones and budget requirements.  Not everyone has the capacity to go through a paper or online system to identify risks from previous assessments and review the plans you put in place to remediate the risks.

Finding time to do this activity can save you countless hours of reworking solutions, and lifts your risk maturity to new levels.  What may appear to be an onerous trudge through past assignments can offer new opportunities to reuse solutions for similar circumstances.

In a few of my past lives, I found some quiet time during the Holiday Season to review a number of risk assessments that were conducted during the year.  I really wanted to ensure my team had completed the risk assessment process and that we’d documented our work activities appropriately.

What I experienced instead was an epiphany of sorts – we had provided an eerily similar type of recommendation for over a half dozen risk reports.  The assessments were diverse, ranging from a standard review of a commercial off the shelf (COTS) software package to a significant upgrade to an older, legacy system.  The same risk theme, or concept, kept coming up from each assessment.  And a similar recommendation was presented for each report.  The recommendations, although accurate, were repetitious and could have been managed as one general risk remediation program.

Had I simply taken the time at the end of each assessment and thoroughly reviewed the risks and recommendations against similar assessments, I would have documented a clear pattern of remediation.  Instead of starting a half dozen small projects to reduce risk, I could have created one larger initiative that would deal with these assessments, and potentially more in the future.


Lesson Learned

The lesson I learned that festive season is to never let your risk assessments end with the report to the client.  Before you finish the report, create an internal process that brings the key risks and recommendations from the assignment back into the security group for another perspective.

If you’ve read my articles in the past, you can use your risk register as a great starting point for this activity. If your risk assessment highlighted a similar risk you already documented in your risk register, check the remediation plan and the recommended activities to determine if they can also reduce risk your assessment.

If the recommendations aren’t an exact match, that’s fine – since I started conducting this internal review a number of years ago I was able to identify higher-level activities that would resolve a number of physical and logical risks that I wouldn’t have seen in the past.  One great example involved launching an education and awareness campaign that focused not only on information security principles, but privacy and physical security concepts as well.  Developing one training platform addressed three specific training risks, and even saved development funds.  The online course and supporting materials were developed once, with input from all three teams.  Once the course was in place, the remediation plan for three distinct risks was considered in place.

Don’t wait to do this during your holiday break – try it once a quarter!

Tim McCreight
About author:
Tim McCreight is the Director of Strategic Alliances for Hitachi Systems Security.Prior to joining Hitachi Systems Security, Tim acquired over 30 years in the security industry with leadership experience in both the physical and information security realms. He held executive positions at a number of organizations, notably as the Chief Information Security Officer (CISO) for the Government of Alberta and as Director, Enterprise Information Security for Suncor Energy Services Inc.Tim has presented as a keynote speaker at conferences across North America on such diverse topics as enterprise risk management, converged security, and implementing enterprise information security programs. Tim was awarded his Master of Science in Security and Risk Management (with Merit) from the University of Leicester and attained his CISSP, CPP, and CISA security designations.Tim was interviewed by Canadian Security Magazine in 2011 for his work as CISO with the Government of Alberta, and is a regular columnist for the magazine. Tim is also the international Chair for the Information Technology Security Council with ASIS International.

Latest Webinars | Watch Now

Cybersecurity, Cyber Crime and Your Business — How to Strengthen Your Cybersecurity Posture – In collaboration with Cytelligence

Watch Now

Cybersecurity 101 for Credit Unions – In collaboration with the Caribbean Confederation of Credit Unions (CCCU)

Watch Now

Introduction to Technical Security Testing for Credit Unions – In collaboration with the Caribbean Confederation of Credit Unions (CCCU)

Watch Now