Risk | Vulnerability
Should SMEs Always Conduct Assessments?
It’s time for a risk assessment at one of your organization’s sites. If you’re like a lot of organizations, you find a subject matter expert (SME) and send them to the site to document risks and vulnerabilities. Then you sit back and wait for their narrative report.
But isn’t this the wrong way to go about a risk assessment?
Your SME is an expert. Don’t waste their time.
When you go to the doctor, the first person you see is the receptionist, who checks you in. Then you see a nurse, who takes your vitals and asks questions about your symptoms. Finally you see the doctor, the SME, who examines you, asks specific questions about the information gathered by the nurse and makes recommendations.
If the doctor did the intake paperwork, took your vitals, or even cleaned the room, that would be a waste of their time.
It’s the same for your security SMEs. Sending them to the site to handle a baseline gap analysis or perform an inventory is a waste of an SME’s time and expertise. Like a doctor, your SME should conduct a comprehensive assessment after every other assessment is completed. This is where their time is best spent digging deeper into a site’s vulnerabilities and creating a strategic plan for remediation.
Consider this: wouldn’t you prefer to have all of your sites assessed annually? Why not utilize security officers, maintenance, or a point of contact to conduct a baseline assessment? Then, based on those findings, prioritize your comprehensive assessment schedule based on the sites from highest to lowest risk.
The benefit of self-assessments
Many organizations arbitrarily decide which sites will be assessed. Either the site is visited because it hasn’t been assessed in a while, or one site requests assessments.
For example, I once worked with a company that had offices worldwide. The Europe site was very security-conscious and was consistently in touch with the security division. The South America office had several security issues, but rarely got in touch. As a result, the squeaky wheel got the grease; the Europe office got the attention and resources that the South America office needed. If the company had been using preliminary validation assessments, they would have been able to see which site was the security priority, and send their resources there first.
What could have happened was that the South American locations would have gone from a mid-level risk score to a high score. What actually happened was that the Europe location was only slightly improving its already high score.
What’s a baseline self-assessment?
A baseline self-assessment is a preliminary baseline assessment, performed by someone who is already onsite, like a site manager. This individual assesses their own site, regardless of their security expertise, and sends the assessment back to the corporate security department. The assessment itself doesn’t have to be in-depth; it should be limited to a minimal number of questions that will be easy for a novice security practitioner to understand.
Once the assessments are received by a corporation, the company has a window into the risk of every site, and can prioritize vulnerabilities, sending experts to sites that need the most help first. Your expert can then go to the site to conduct a more in-depth investigation of the vulnerabilities and create a plan for remediation.
To learn more about how Circadian Risk can help you create self-assessments, contact us now for a demo.
About the Author
