Wait, Does Anybody Actually Read Your Risk Assessment Reports?

Assessing RISK is one thing. Writing readable reports is another. And if no one is going to read your work, why write about it? So how can you change this trend of ignoring urgent findings?

Last week I wrote a post on defining Risk Assessments, and the Long Tail (that should be dragging product, projects, and managed services). The problem is, only about 15% of the assessments are converting (according the the hundreds of sales people I interact with through coaching and training programs).

Why? Because no one actually reads them!

In a future post I plan to talk more about the report itself. But the one piece of the assessment report that, if left out, makes the assessment useless, is a measure of risk.

If your report doesn’t report risk (and instead focuses on technical misconfigurations and outdated patching) chances of getting read are slim.

The One Thing You Can’t Afford to Leave Out of Your Next Risk Assessment Report

Not only can you not leave this one thing out, it actually defines your assessment approach. If you’re looking for a way to report relevant security risks and recommendations to senior managers, keep reading…

Impact vs. Likelihood is a measure of risk. 90% of the reports I read leave out this quantitative measurement. Instead, executive summaries show Green-Yellow-Red bubbles, with esoteric techno babble beside each. The term EXECUTIVE SUMMARY is just, A-SUMMARY. There’s nothing EXECUTIVE about it.

Test your report…give it to an executive (one you know well) and ask them if it’s readable? impact-v-likeihood

While the colors are meant to alert the reader (RED=URGENT), the reader has nothing to compare this URGENT indicator to.

There’s no measure of LIKELIHOOD.

How To Measure Anything

The problem is, the analytical-technical mind refuses to put a number on LIKELIHOOD.

The argument is, Odds of and attack can’t be accurately quantified…The next time you hear this from your technical team members, point them to the book, How to Measure Anything. Risk can be quantified (with a number or percent-likelihood).

We read risk statistics everyday in the papers, and even pay doctors for their best guess – the Prognosis. Consider some of the current measurements reported by our (trusted) media:

I’m expected to live to age 91 – say the actuarial data.
15% chance of getting pregnant three days prior to ovulation.
7.62% chance of a male smoker developing lung cancer.
Fast-food doubles your risk of pre-Type-2 Diabetes.

Security risks are no different. They’re estimates that can be derived from data we have right now ( Reference report from the FBI, NSA, Verizon, Etc).

The problem is, no one is taking time to work the math, and no one wants to be called out to defend their number.

Understanding the Power of an Impact vs. Likelihood Graph

If you agree with my Long-Tail definition of The Risk Assessment, you really want the person holding the checkbook to read your report. Absent that, your work is a waste of time.

If the newspaper says I’m more likely to develop Type-2 Diabetes or obesity because I eat at McDonalds, I’ll probably listen, but take no action. If I do take action, it’s because I already feel crummy and came across this data while searching for answers…I was ready to buy before the sales pitch was ever delivered.

On the other hand, if the doctor comes back with my blood work, tells me I have insulin resistance (which is the precursor to Type 2 Diabetes), and then goes on to explain what my life is going to be like if I don’t stop (they deliver a prognosis with a percent-likelihood)…suddenly I’m eating salads for lunch.

Note: Within a few weeks I’ll be back to McDonalds unless the doctor provides some sort of accountability.

The Underestimated Aftermath of Red and Green Circles

When the guy with the check book sees RED circles, don’t expect them to write a check. Instead, watch the buyer pass your report down to IT.

IT will flip through it, perhaps make a few configuration changes, and shelve it. When the executive asks, “Are we okay?” IT will answer, “We’ve got it covered.”

Tomorrow you’ll read about your client in the paper. The CIO will be front page news (Sudden job loss). The IT guy will be on the street as well, but hired within a week, enjoying his 20% raise.

You will no longer be their named account manager.