Common mistakes in cyber risk assessment: the 7th Annual Virtual Cybersecurity Conference for Executives.

Robert Olsen, a Senior Managing Director and Global Head of Cybersecurity and Privacy at Ankura, also spoke at the 7th Annual Virtual Cybersecurity Conference for Executives. Olsen summarized common mistakes organizations make when conducting risk assessments and how they can avoid such pitfalls.

Cyber risk assessments should be repeatable.

“How do we do it in a repeatable way that helps us walk through a thoughtful, systematic process that identifies really the whole universe of risks, but really with a focus on which ones are the most critical, the most impactful to the organization?” he said. “And then once we have that set of critical risks – which could be a handful or it could be a dozen, if not more – what are we going to do about it? How are we going to allocate our resources and really focus on those highest priority and highest value initiatives?”

How often should an organization conduct a cyber risk assessment?

Olsen explained that annual risk assessments are one of the best ways to improve an organization’s security posture over time.

“Really the goal of this is to ensure that you’re always aligning your security program with the latest threats and risks that are out there,” Olsen said. He added, “We have clients that we’ve worked with for five, six, seven, eight years, and you can really look back and use those annual risk assessments to objectively point to the maturity or the maturation of their programs.”

He added that these risk assessments can also be used to help verify that an organization is sufficiently covered by cyber insurance.

“I can’t tell you how many times I’ve talked to organizations and they don’t have a real good comfort level of whether their insurance coverage that they have from a cyber liability perspective is actually what they really need, you know, does it align with the most likely threats and risks that they face,” Olsen said. “And inevitably, if they haven’t tied these two together, if they haven’t tied this cyber risk assessment together with walking through their coverage and really building that, then odds are there’s probably a disconnect.”

And don’t let cyber risk assessments become exercises in confirmation bias.

Olsen also stressed that risk assessments should be objective, so organizations shouldn’t be focused on gaming the system to give themselves a good score. An honest assessment of flaws will benefit the organization in the long run. Additionally, he said organizations should try to use the same methodology and scoring system each year, so they can compare each assessment to the previous years.