Make your assessments meaningful by pre-planning remediations
Upon first glance, this may seem backward. Remediations come after the assessment where you discover what needs to be remediated, right? Yes, but if you’ve been involved with risk management for a few cycles of assessment and “reassessment” activities, you’re likely familiar with a common theme: Most post-assessment remediations never seem to get completed.
The backlog of issues discovered during assessments grows larger every year. By pre-planning some remediations, you’ll have a better idea of how to allocate resources throughout the year so you can get more out of the whole risk management process. As we’ve discussed before, many companies allocate the majority of their resources to the assessment itself, with little to no focus on pre-assessment planning. The same is true for post-assessment remediations.
Not investing in the time to pre-plan post-assessment remediation work has big consequences
First, the perceived value of assessments from company leaders is reduced. If the perception is that very few improvements (from remediation efforts) are recognized over time, what’s the point in conducting assessments aside from satisfying regulatory compliance? This perception leads to budget cuts and program downgrades. Second, the overall maturity of the cyber program is stagnated and cybersecurity posture drops. If you’re not making consistent improvements, that means risk to the company is increasing. This is not a good place to be. Your job is on the line if something bad happens.
Let’s go deeper into the practices of pre-planning remediations and allocating resources across the whole risk management lifecycle appropriately. These tactics will help you gain more value from assessments, and make consistent progress with improvements afterward.
Treat the end of an assessment as a starting line, not a finish line
When an assessment is placed on the calendar, folks immediately start looking to the end of the process as if it’s the finish line of a race. Their outlook on the process is as if the act of completing the assessment is the goal in and of itself. This type of thinking is completely error-prone. Until we see progress in the work of making improvements on the items uncovered during the assessment, the assessment has very little value for anyone. Remediations are what give your assessment (and your whole risk management program) the most value. If we take the analogy of running a race, the assessment could be viewed as all the prep work you do prior to the race.
After the assessment, you’re fully aware of your capabilities and what needs to be done so you can adjust your goals accordingly. Remediations are the race itself. Completing each remediation brings value all the way through the finish line. The goals you set for your risk management strategy define where the finish line is placed. After you cross the line, your validations and audits are the finisher’s medals. Celebrate the wins, note the areas where more improvement is needed, and go schedule the next race. This process is how your risk management strategy should be viewed by everyone – as a full lifecycle where each period of activities supports the next.
The power of planning
Learn to establish a “cyber risk management is a marathon” mentality across your teams. You should be in the habit of planning for the next phase of the risk lifecycle at least a quarter in advance. This will give your team visibility of what’s coming so they can have the appropriate mental outlook. Pro Tip: Before you begin your assessments, place remediation-focused activities on the calendar. Often, we already know what some of the big outcome items will be before starting the assessment. Placing these items on your calendar ensures the various departments already know they’re part of a lifecycle effort.