What Is My Organization’s Risk Score? Asking This Question May Mean You’re Not Ready for An Honest Answer
I’ve worked with many executive decision makers throughout my career.
Because of my background, I’ve also been in many situations where I need to break down deeply complex technical concepts into brief and relatable terms for them.
If you have not tried this before, trust me when I say that this is not an easy task. There is usually not enough time in the day for top-level executives, so brevity is key, but sometimes it’s virtually impossible to provide both a brief and accurate response to certain questions.
One such question which has come up often in the past is, “What is my organization’s risk score?”
I’ve heard many variations of this question, including how secure they are in relation to their competitors, how they would rank out of 10 in terms of their defense, and a repeated desire for assurances that security services mean they’ll never be hacked.
If you’re an infosec (or other) professional familiar with the nuances, vagaries, and complexities of cybersecurity infrastructure, intra-organizational relationships, and constantly emerging technologies, you may have laughed (or cringed) at the prospect of dealing with these common concerns.
If you’re not, here’s why they may evoke this reaction: asking for a letter grade to represent the entirety of an organization’s cybersecurity status is like, to quote Matthew Inman, “trying to find your lost car keys, using Microsoft Bing.”
This is because many people and organizations have tried to develop consistent, empirical methods for reliably measuring organizational security in a manner which can be translated into a simple score and the results have, to my knowledge, always failed to achieve fully universal acceptance and adoption.
That doesn’t mean this is a useless pursuit. Providing a quick metric to give context to cybersecurity conversations without going down technical rabbit holes can be tremendously beneficial to stakeholders looking for a high-level overview of their security makeup.
So why can’t everyone agree on a universal scoring system?
Part of the challenge is different approaches to defining what to measure in the first place.
Cybersecurity and compliance industry trends for technology, terminology, approach (e.g. maturity-based vs risk-based), and methodology (e.g. long-standing versus emerging cybersecurity frameworks and forms of regulatory compliance) in recent years highlight the complexity which makes scoring an organization’s risk in a meaningful way a true challenge.
I considered adding links and descriptions to various well-established and noteworthy organizations and examples of their approach to maturity and risk scoring here, but ultimately decided this article could be wrapped up in a much more succinct manner with the following paragraph.
Scoring organizational risk in a meaningful way is usually hard, but with a good risk assessment it doesn’t have to be.
While we can’t have a universal scoring system, a risk assessment is about the closest we can get.
Even then, not all assessments are of the same quality, and many cybersecurity providers will offer a free audit which simply doesn’t have the scope necessary to address every data security concern a business owner has.
The goal is to blend various valuable project types into one comprehensive and holistic audit and to ensure that the deliverables are both relatable and actionable.
This helps organizations understand what they should do to address cybersecurity and compliance risks.
A common end-result of this sort of engagement is the implementation of a cybersecurity and compliance program that can be enforced on a long-term basis.
This helps organizations reach baseline maturity and shift towards proactively tracking and managing risk.
Learn more about DOT Security here.