Performing a Risk Analysis and Taking Due Care Are No Longer Optional
Now hear this: You will always have exposure.
No company has the ability to mitigate all risks at all times. No company I’ve ever visited has even had all of its identified risks treated at any given point.
Yet so many companies lead their security strategy with controls. They’ll make sizable investments in security appliances without fully understanding why the appliance is required. They’ll implement their controls without documentation of what the actual risks are and how they’re being treated.
You may have learned about due diligence and due care, but this situation amounts to omitting both. To bridge that gap, you need a risk treatment plan.
The objective of a risk treatment plan is to document your exposure and show that the organization is applying appropriate resources to mitigate it in a reasonable timeframe.
Not only does this tie your mitigation efforts to the actual business risks being addressed, but the RTP is really a form of risk treatment in itself. Even if you can’t mitigate every risk, you’re documenting that you have a plan to deal with those risks — and having your efforts documented provides some recourse to prove due care.
This is important when it comes to any form of litigation. Today we live in a world where if (or when) you have a breach, you are going to have litigation. When you’re working with your legal team, third parties, and insurance companies, the more detailed your treatment plan, the better position you are in.
If you can show you did the appropriate risk analysis, leveraged reasonable means to put a plan in place, and acted on that plan, you can minimize the impact of any breach and resulting litigation on the organization. Not only can you prove you did your due diligence in the risk assessment, but more importantly, you can prove you did your due care in building out a plan and, ultimately, following it.
So what constitutes reasonable efforts? That judgement is generally based off the company’s capacity to deal with a given risk. It should never be a requirement of the business to spend so much on mitigating a risk that it puts them out of business. So for smaller or mid-sized companies, it’s reasonable to say that for some noncritical risks you’re taking three years to do treatment when that’s the timeframe your available resources will allow.
For example, your plan should lay out the mitigation to be implemented and state that, based on current budget, it would take 18 months to make the full investment. Realistically, there will be risk exposure for those 18 months, but now you can be fully transparent with customers. In many instances, the customer will agree the plan is reasonable and write it into the contract that that you must execute against the plan.
On the other hand, the absence of a plan is negligence, period. If a customer trusts us with critical data and we are not doing our due diligence to understand the risk and document how it will be treated, that’s negligence in a court of law. That negligence is compounded if due diligence is done without due care, because you know you have a high-impact asset and you’re aware of its associated risk, but haven’t documented the steps you’re taking to deal with it.
All of this is going to become even more important in the age of GDPR. There are so many measures the security industry considers optional today. GDPR is going to change that, putting some teeth into regulating security practices in the EU.
And since business is so global, eventually there will be other regulations and regulatory bodies in the U.S. Consider how the financial industry has built out authorities and regulations such as the SEC and Sarbanes-Oxley.
Just as you would never run a business without appropriate financial controls, performing a risk analysis and taking due care are no longer optional. They are mandatory. Building your plan out today will put you in a position to ensure you’re not negligent before you have to prove it.