Written by Dave Stelzl CISSP

Great Risk Assessment Interviews: Based On Live Events

datareviewAssessment Interviews Based on Actual Events

(The Names Have Been Changes to Protect The Innocent)

A couple of weeks I wrote an article on the ASSESSMENT FRAMEWORK – how to construct great questions for assessment interviews. But my readers have asked for more…

(Download my Free Assessment Report Template – We’re converting over 73% into MSP/MSSP contracts)

Everyone Wants a List of Specific Questions, However…

You Really Don’t Want A List!!!

Even if you think you want a checklist of questions (for your prospect) on the front end of an assessment, you don’t. Why?…

  • You’ll sound scripted and canned – these meetings turn to BORING fast…
  • Your list can be handed in – the custodians can take if up the ladder for you… Then what?
  • You need face time with asset owners. Half to reason for doing the interview is to build a hunger for the findings, and establish yourself as the expert…
  • You’ll miss the most important things – the stuff that comes up in conversation.
  • The list will keep you from demonstrating creativity, enthusiasm, passion, etc.

And if none of that makes sense, just find a way to watch a high-end consultant in action…you can’t replicate consulting expertise with a list!

So, while I am not going to give you a list, I can give you some scenarios…

If you’ve not read my previous article on the Most Powerful Tools You Have To Assess (Your Questions/Interviews) this probably won’t make much sense, so go back and read it first…

Meeting with C-Level Asset Owners

The executive (Asset Owner)  interview should be first (however, that’s not always possible).  Let’s call him Al.

I scheduled my meeting with Al through an email introduction with my primary contact (the IT Director). I have to assume my contact is joining us. But my agenda is to talk only to Al.

I’ll keep this so meeting so high-level, my technical contact will go to sleep halfway through the meeting. We’ve planned 20 minutes – 30 at the most. This guy does not have 60 minutes to spend with me on this. So I’d better be well prepared!

First 5 minutes – a quick overview of what we’re measuring.

We’re here to look at risk – kind of like a DR Business Impact Analysis, but more focused on data confidentiality, integrity, and availability.  Our end result will come in the form of an impact vs. likelihood graph…A quick sketch helps at this point. (Learn more about building Impact vs. Likelihood Graphs in Chapter 13 of The House & the Cloud).

“Would like you like to know what the odds are that your most important applications / data will be compromised, misused, or become unavailable at some point in the next 12 months?” – This is a great opening question…

Expect Al to be drooling a little – no one has ever asked this question from the provider side. Point it out on the graph – so he can see what you mean…this is not the Red, Yellow, Green light assessment…this is RISK ANALYSIS DONE RIGHT.

GATHERING DATA

Data Value – Things You Must Protect (Ideas for questions)

  • What applications are most important to this company…(I should know some of them by now, and listing will help get us going. But I want Al’s opinion here).
  • What makes them so important – prioritize, and find out what value means.
  • For each asset (Application or database), find out whether the privacy/confidentiality, integrity, or availability is most important. Chances are it’s a combination, or all three, but try to discern the hot buttons. (This is gold! It’s what Al really cares about, and your recommendations should focus right on what Al gave you in these first few minutes).
  • What happens when each of these are hit by some unexpected disaster, like RANSOMWARE, or just downtime?
  • What about downtime? How much can each of these systems stand? What happens when this system is down? What about that system? Do you have to send people home, does your stock price go down, do you lose money? How much? What does downtime cost?
  • How much data can you afford to lose? What’s that going to cost you…etc.

Threats That Really Exist

  • Who would want this data – explore this…are you more concerned with internal misuse or outsider threats? Are there people who would want this data? Why? Or are you more likely to get hit with Ransomware for money?
  • What about internal issues – how would employees benefit from this data? Is there some way for them to leak information for profit, like insider trading? Can the data be sold easily? Or are there layoffs coming, encouraging people to gather data for their next opportunity? Or disgruntled employees who would take the company down?
  • Have you had issues in the past? What about other kinds of system disasters or failures?
  • Al, we need some information about your company –  to better understand your risk equation.  Are there mergers or acquisitions in the works? Layoffs? What about pending lawsuits? What do you think your competition would do to get their hands on your R&D? Is your company about to announce new projects or inventions that others would want intel on -and, would break the law to get?

NOTE: in a recent CIO meeting with a major manufacturer, I asked the CIO if he thought his IT people would be able to answer any of these questions? He laughed shaking his head, with an emphatic “No”. I could tell he wished they even cared to know, but he and I both knew the truth…they don’t know, they don’t care, and they never will…

Think of each question as a launch point for dialogue.

This is not a teaching time, it’s a listening time. Be sure to reflect back to Al along the way – make sure you understand what he has said, and that he knows you’re tracking with him.

Stick to your 30 minutes, unless he insists on pushing you over…Respect his time, knowing this guy has a million things to do, and 150 sales people calling every day.

Bottom line – leave while he still likes you.

The Likelihood You’ll Be Able to Detect and Respond Before It’s Too late

Don’t let them give you a round-about non-answer here. But the truth is, Al won’t know. The temptation will be to push this off on IT. They should know.

But the truth is, the CISO and CIO both need to know…so I’m not asking IT, I’m asking Al…”Do you know?” “Should you know?” Expect, “No,..” and “Yes, I do want to know.”.

Moving To Power Users and Other Asset Owners

Plan on 30 minutes per person – have someone come with you to take some notes, or record this on your iPhone if possible…

In the early days I would have had an assistance writing shorthand – remember shorthand? Today, I use Dropvox…an app on my phone that downloads an MP3 to Dropbox.

Meeting with Power Users (The end-users who drive business with technology) makes even less sense to the end-user you’re meeting with, and maybe even to you the sales person.

The thing is, end-users are the weak link. But understanding them and how they work will go a long way in understanding their weak areas.

Start the same way you did with the execs…figure you will need to talk with several managers and knowledge workers (those who really use the systems and data to make this business hum).

  • What applications and data are most important to your business?
  • Who would want this data – outside the company?
  • What happens when you’re systems are down, or you lose a day’s worth of data?

Find out if they’ve had down time, data loss, etc. Who get’s upset, what do these people do to keep going or to recover?  You’re looking for the company view – like a gear falling out of your watch – how does it impact the entire business landscape?

Workflow / Data Lifecycle

Now for some line of business specifics…Bob the knowledge worker…

  • Bob, tell me about your job. Do you work at home, on the road, or always in this office?
  • Are you always using this laptop? Or do you use other computers from home or perhaps a tablet of smartphone?
  • Do your family members use these same devices?  (How, when, etc.)?
  • Who else enters data, deletes data, or just accesses data on this application? Anyone outside the company?  (I’m looking at the data – asset focused!  I want to know, who accesses this, from where, and for what?)
  • Who do you interact with online? Other departments, clients, suppliers, … and how – instant message, email, webinar, etc. And how do you exchange data? (I want to know how data travels – and were it goes).
  • I also want to know who deletes data, when, and why – and what must be saved, archived, etc.
  • What happens if this data gets into the wrong hands – like competition, or someone with ill-intent, like an angry co-worker or X-employee?

Heading Home To Meet My Consultants – The INTERVIEW w/ TECH

Most assessments start with technical people diving into systems and networks…big mistake.

Not understanding data value and data flow, it’s like checking out an electrical system without knowing the load requirements, environmental conditions, or uptime requirements.

Instead, do this…

  • Consolidate your data – data assets prioritized, workflow, relevant threats, impact issues…
  • Meet with your technical masterminds – Here’s what the company does, here’s what matters, here’s how they work…what would need to be true for this to be secure???
  • We are looking at three things: Confidentiality, Integrity, Availability.  Your tech team needs to know which of these three matter most to the client….but they may also have their own opinions. For instance, the client may not have named RANSOMWARE as a major threat, but your tech team will surely bring it up!
  • Going through the systems piece by piece, your team’s job is to come up with the security controls that must be present to keep this company as secure as it needs to be – based on their data value, uptime requirements, data loss requirements, compliance, etc.

Once this is done, your team can head in, network diagrams in hand, to see how well this company measures up. Suddenly this assessment feels more like a Gap Analysis than Vulnerability Assessment. The good news: Gap Analysis is easy to report on … here’s what you said you need, here’s what you have, here’s the gap…

Time to put together findings, present to asset owners, and be prepared to draft your remediation recommendations…A deal much more likely to close.

© David Stelzl

PS. For more on how to conduct these interviews, see Pg. 194 – 200 in The House & Cloud

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s