Vulnerability
Top Ways to Get More Out of Your Risk Assessment Interviews
The onsite interview is the most invasive part of the security inspection process for your clients. Not only does it take them away from their work for hours at a time, but they have to answer questions that probe into areas they’re not comfortable talking about.
Your clients don’t understand security and risk. As they answer your questions, they’re thinking about the consequences to their responses. “Should I be following this practice? Am I going to be embarrassed or get into trouble because I’m not doing that other practice?” They’re feeling invaded. As a result, you’re probably not getting complete information, or you could find yourself butting up against an unhelpful customer.
You can do your best to ask questions that don’t make people feel insecure or defensive, but there’s always going to be some sort of anxiety when they’re asked these kinds of questions. In some cases, it’s because they need to save their job. They don’t want to look so bad that they’re going to be embarrassed, or get fired because they aren’t doing their job right.
But there are some things you can do to get the most out of your risk assessment interviews. Here’s what we do at Circadian Risk.
Handpicked related content: The 9 Worst Practices for Threat and Vulnerability Assessments
Set the Stage
You’ll get better information from your clients if you can set them at ease about the interview. If they realize you’re just there to help them be more successful, they’ll be more forthcoming.
Set the stage before you begin. Explain ahead of time what the risk assessment process will be like, from beginning to end. Provide a detailed timeline so they always know what will come next. Also explain purpose of the interview, and set expectations for how it will be used and how it will impact them. Ease their concerns about job security and reassure them that you don’t expect them to have all the answers.
Lead an Orientation
On the first day of a project, conduct an orientation with everyone you’ll need to interact with during the assessment. Give them an overview of what you will do on-site, and why. The orientation sets expectations for your activities and the deliverables, and it lets you ask about their expectations, and any concerns they have.
Save Time and Stress
Use technology to alleviate some of the stress and burden that comes with the risk assessment interview. Instead of conducting the whole interview onsite, send out an online questionnaire in advance, before you even set foot on a facility. Give them a username and password so they can login and answer questions at their convenience.
Rather than having to endure a long, stressful question-and-answer session, they can reply to questions at their own pace, when it’s convenient for them.
Engage Everyone
Often it makes sense to conduct onsite interviews, in addition to a digital survey. Whether you conduct a traditional interview or send a questionnaire, be sure to involve all key personnel.
Arrange ahead of time to engage with everyone you need. Rarely does a single person have all the answers. That means you’re either bouncing around from department to department to find the right people, or you’re conducting a single interview with everyone you need to talk to. Better to save the legwork.
Handpicked related content: 7 Best Practices of Risk Assessment Reporting That You’re Not Doing
Do Questionnaires Negate Your Expertise?
Most consultants understand the benefits from a survey’s objectivity, but some people raise objections about the questionnaire process. They say that you can’t summarize a security consultant’s entire professional expertise into a single questionnaire. These consultants are concerned about being so objective that you just rely on a questionnaire and consider it all you need.
It’s a valid concern, but they misunderstand the purpose of a questionnaire. Our industry needs to become more objective in order to collect data. If we continue to rely only on subjective processes and methods, we’ll never truly understand risk. At that point, subjectivity becomes an excuse, not an advantage.
True, not all facilities are the same—but not all of them are much different. A door is a door, and a lock is a lock. It really doesn’t matter what type of window your client has if they’re leaving it unlocked at night.
No questionnaire can summarize all the aspects of your expertise—and nor should it. Instead, the questionnaire frees you up to focus on what you’re really good at.
You should take advantage of every opportunity to spend less time doing the risk assessment, and more time recommending corrective actions. But when you rely on paper-based methods, you’re forced to spend all your time writing down what the issues are, instead of helping your clients to solve those issues.
That’s the reason they hire you—not to tell them what their problems are, but to give them solutions to their problems. And that’s where your expertise is most valuable.
Get Better Information from Your Interviews
Ready to get more out of your risk assessment interviews? Put your clients at ease and make the process easy for them, and you’ll get a fuller picture of your client’s situation—and get it more efficiently.
Discover more industry-leading content, right in your inbox—subscribe to our blog today!