Modernizing Risk Assessments for Today’s Distributed Enterprise

Last year’s sudden shift to a work-from-home (WFH) model changed a lot of things in enterprise IT. Companies accelerated their adoption of cloud services. Videoconferencing became an essential form of everyday communication. And IT teams were forced to change their ways of assessing risk — likely forever.

How risks and risk assessments changed in the pandemic

Traditionally, risk assessment teams produced detailed annual reports that tried to sum up all the risks the organization was facing in areas such as IT security, disaster recovery, and compliance.

Many companies hired consulting firms to help with this work. Because risk assessment was an expensive and time-consuming endeavor, it was treated as more of a “special occasion” than an ongoing practice.

Executives and boards of directors might have felt some satisfaction having a detailed risk assessment report to thumb through. But as an actual representation of risk, the report was more a stony monument than heart monitor.

For many organizations, the tenuousness of these risk assessments increased during the pandemic. Emailed questionnaires replaced in-person inspections. Stakeholders dutifully completed forms, even if no one could say with certainty which devices employees were using remotely or what software was running on them.

Most organizations understood that their risks increased once employees started working from home. Employees were accessing data and applications over home Wi-Fi networks rather than the corporate network, where they had a firewall, a SIEM system, and other security tools to protect them from threats. And many employees were relying more on BYOD devices, which had never been screened and approved by the IT department, for official work. At the same time, security threats increased. Cybercriminals realized that employees were more vulnerable than ever before without the corporate network to protect them.

Without real-time access to all those remote endpoints, IT organizations did their best to characterize the risks that remote employees were facing. But inevitably, those annual risk assessments missed some details about threats facing the company.

Those omissions were understandable during a year in which IT teams never stopped rushing.  Now, though, IT teams can catch their collective breath and take stock of what’s changed. Remote workforces are here to stay, and security threats continue to multiply and grow in sophistication.

Bringing risk assessment into the age of cloud computing and WFH

We all know that the pace of business is faster than ever. Data, devices, software, business relationships — all these things are continually in flux. Risk assessments need to reflect that flux. Therefore, the first thing to change about risk assessments is their timeliness.

Fortunately, IT departments have new tools that can help improve the accuracy of risk assessments. Real-time endpoint monitoring, for example, can report on the location, IT health, and activity of endpoints at any location, including in home offices. This monitoring works over standard internet connections without requiring VPNs.

With these modern tools, IT organizations can collect more comprehensive, up-to-date, and accurate endpoint data than they could when most endpoints were still on internal networks and being monitored only sporadically by traditional endpoint management tools.

Gauging the configuration status and security status of all the endpoints in the organization provides a wealth of insights for assessing risk in areas as varied as threat detection, compliance, and disaster recovery. It’s an essential requirement for mitigating security threats from unpatched vulnerabilities, phishing attacks, and more.

The second thing to do is measure risk over time. Executives want to know if the risk mitigation measures that have been put in place are working. Risk teams should track the metrics that indicate whether or not the company is achieving its goals for managing risk. 

The third thing is to have data-driven conversations with the executive team about risk. Here’s where more timely and comprehensive data pays off. With improved visibility into endpoints and other IT assets, you can have a more meaningful discussion about which investments are working and which aren’t, which new products and services to adopt, and which old products and services to retire.

The executive team is focused on the strategic goals of the organization overall. Ultimately, the data-driven conversations you have about risk should prioritize risks and risk mitigations in terms of those goals.

Four key elements of risk management

Keeping your organization’s strategic goals in mind, here are four steps to follow for managing risk in a modern enterprise:

1. Data Collection: Collecting all the data necessary to measure risks related to your organization’s strategic goals. That data will include endpoint data as well as environmental and user data.
2. Analysis: Analyze the data you’ve collected using as much automation as possible. If you’ve created scorecards for assessing risks, you can automate tabulations and make analysis an ongoing process rather than a once-a-year snapshot.
3. Reporting: This step involves synthesizing risk metrics and analysis for executive-level reports. These reports will guide your organization’s discussions about risks, priorities, investment decisions, and more.
4. Remediation: There are two types of risk remediation. First, there are the actions taken daily by IT security and operations personnel to respond to threats. These actions are in accordance with organizational policies and industry best practices, but they don’t require executive approval instance by instance. Second, there are the actions taken by the IT and business leaders. For example, if a risk analysis report suggests that the company accelerates its patching schedule, then the decision to invest in new patch management software is a strategic response to remediating threats.

A lot has changed in IT in the past couple of years. Many companies discovered they could be more agile and efficient than ever as they essentially reinvented their remote work policies and IT support overnight.

Now, companies have the chance to reinvent their risk assessment processes as well. By taking advantage of real-time data and automation, companies can reduce risks and improve the security of their remote workforces at the same time.