Risk | Vulnerability
Should SMEs Always Conduct Assessments?
Most organizations do the same thing when it’s time for a risk assessment.
They find a subject matter expert (SME) and send them to the site to document risks and vulnerabilities. Then they sit back and wait for the security consultant’s narrative report.
Could this process be refined to save the SME’s time? Is there something else your SME should be focusing on?
Your SME is an expert. Don’t waste their time.
When you go to the doctor, the first person you see is the receptionist, who checks you in. Then you see a nurse, who takes your vitals and asks questions about your symptoms. Finally you see the doctor, the SME, who examines you, asks specific questions about the information gathered by the nurse and makes recommendations.
If the doctor did the intake paperwork, took your vitals, or even cleaned the room, that would be a waste of their time.
It’s the same for your security consultant. You’re paying top dollar for the consultant’s knowledge. Why are you wasting them on checking doors and fire extinguisher expiration dates instead of using their expertise to shape recommendations and strategy?
Consider this: wouldn’t you prefer to have all of your sites assessed annually? Why not utilize security officers, maintenance, or a point of contact to conduct a baseline assessment? Then, based on those findings, prioritize your comprehensive assessment schedule based on the sites from highest to lowest risk.
What’s a baseline self-assessment?
A baseline self-assessment is a preliminary baseline assessment, performed by someone who is already onsite, like a site manager. This individual assesses their own site, regardless of their security expertise, and sends the assessment back to the corporate security department. The assessment itself doesn’t have to be in-depth; it should be limited to a minimal number of questions that will be easy for a novice security practitioner to understand.
Once the assessments are received by a corporation, the company has a window into the risk of every site, and can prioritize vulnerabilities, sending experts to sites that need the most help first. Your expert can then go to the site to conduct a more in-depth investigation of the vulnerabilities and create a plan for remediation.
The benefit of self-assessments
I once worked with a company that had offices worldwide. The Europe site was very security-conscious and was consistently in touch with the security division. The South America office had several security issues, but rarely got in touch. As a result, the squeaky wheel got the grease; the Europe office got the attention and resources that the South America office needed. If the company had been using preliminary validation assessments, they would have been able to see which site was the security priority, and send their resources there first.
What could have happened was that the South American locations would have gone from a mid-level risk score to a high score. What actually happened was that the Europe location was only slightly improving its already high score.
You wouldn’t waste a doctor’s time. You shouldn’t waste a consultant’s time
Sending a top security consultant to your sites to conduct a baseline gap analysis or perform an inventory is a colossal waste of time and resources. Like a doctor, your SME should conduct a comprehensive analysis after every assessment is completed. This is where their time is best spent digging deeper into a site’s vulnerabilities and creating a strategic plan for remediation.
That’s how they can best serve your organization’s security.
To learn more about how Circadian Risk can help you create self-assessments, contact us now for a demo.