Many organisations spend large amounts of money hiring outside consultants to analyse risks to ICT systems. Surprisingly in almost all cases, consultants working in IT Security do not have access to all relevant data, including history of previous incidents, which is particularly important when conducting risk assessments. The lack of access to such data makes it extremely difficult to make an accurate assessment of risk, as this data directly informs the likelihood of a security event occurring.
The assessment of risk is based on the formula: Likelihood + Consequence = Risk. Without any insight into likelihood consultants, and the final assessment, are missing an essential piece of the equation.
There are numerous reasons why this data may not be provided or available including:
Fear of disclosure – Many companies and government departments tightly guard information about security incidents that have occurred in their ICT environment. There are likely a number of factors at play here such as damage to reputation and financial impacts if such information is made public.
Lack of capability – Many organisations may lack the capability to detect, prevent and track incidents within their environment. These deficiencies can span any number of areas including technology, financial, people and governance arrangements.
The issue of disclosure is a complex one which is currently being discussed as part of planned mandatory disclosure laws.Though some organisations choose to disclose breaches, many do not.
Lack of capability is a challenging issue. Any assessment or technical implementation undertaken in this area must be done by an expert that has a deep understanding of incident detection, prevention and reporting processes and tools. An expert will be able to ensure that the proper framework is developed and communicated within your organisation, allowing incident reporting work to be done accurately and efficiently.
Additionally, a consultant with relevant expertise in the implementation and configuration of monitoring and detection controls is critical. Controls must be properly configured to ensure false positives are kept to a minimum and that the incident detection, response, and reporting processes do not have a significant impact on the ability of your organisation to carry out its daily business.
Once your organisation has both the governance framework and technical capabilities in place, your incident reporting will start to more accurately inform the likelihood of security events occurring within your ICT environment, maximising the value for money of risk assessments and incident prevention.
The Cordelta security team can assist you with finding your weakest points and ultimately reducing your risk exposure. Contact us for further details.