Security Risk Assessment for High-Growth Startups
Risk assessment is the cornerstone of securing your startup
If you don’t understand risk, you cannot properly secure your company. Period.
I’m not going to try to pitch you on fancy math, big graphs, frameworks and jargon. We’re going to start at the foundation of risk assessment and work our way up a little from there. If you opened this article expecting your eyes to glaze over in a single paragraph, don’t worry, I’m going to try my best to keep this practical and relatable.
What is risk assessment?
Your organization has a finite amount of time, attention and capital. Hopefully that’s not a controversial or surprising statement. If it is, maybe business isn’t for you.
Risk assessment is, among other things, a fantastic habit to apply to your startup or mid-sized business’ security strategy. It allows you to understand and properly align those limited resources to properly protect the Crown Jewels of your startup in a manner that protects them from the threats that are most likely to occur and/or have the highest potential impact on your business.
Risk assessment is determining potential adverse impacts, their targets, their potential to occur, how they occur and how to ensure those adverse impacts do not occur. It can be a combination of war gaming, whether formal or informal, asset management and profiling, threat intelligence gathering and analysis, historical analysis and so much more. This article will not cover every aspect of risk assessment, in part because you’re not going to read that and in part because I am not going to (and probably am not prepared to) write that.
When applied correctly, meaning when risk assessment properly feeds into security control implementation that is then executed properly, your organization will be better informed, better equipped and more secure.
How can I apply risk assessment methodologies to my startup?
There are many paths that lead into or are a part of a risk assessment methodology.
I’ve written about asset management and Crown Jewels Analysis previously. In my opinion, these are two fantastic places to start with risk assessment, and asset management as well as some level of CJA are probably going to be necessary parts of a risk assessment strategy at some stage. At the end of the day, if you don’t know what to protect, how can you protect it? How can you assess risk, when you don’t know what is at risk?
After undergoing an asset management process where you have identified what assets the organization owns, where they are located and who “owns” or has responsibility over those assets, now it’s time to do some profiling. Identify everything from a general employee’s understanding of password security to each individual laptop’s software version. Any level of information you gather that could result in the identification of a vulnerability, whether human or technical, gather that information.
After undergoing what will hopefully be a continuous asset management and profiling process, you can start assessing risk: what is the likelihood that this vulnerability will be exploited, and what impact could that have on my organization?
Many risk assessment strategies start with or are heavily supported by threat intelligence efforts. Without going into detail about an incredibly technical (and also phenomenally pedantic) space, threat intelligence is a process of gathering data, research and other information pertaining to what threat actors do to achieve what goals, using which tools, tactics, techniques and procedures. This threat intelligence process can be incredibly in depth and is often needlessly so: why would a private company need to know what unit of the Chinese People’s Liberation Army stole their data? I prefer to focus on the more tactical and practical points, usually from the perspective of a customer’s industry vertical.
“What threat actors are targeting companies in my vertical? What tools are they using? What impacts are they imposing on victims? What methods are they using to breach victim networks?”
This type of questioning is far more useful in using a threat intelligence approach to risk assessment. After you know, generally, what type of actors are using which tools, tactics, techniques and procedures to impose what impacts, you have a good grasp of impact, a fairly good grasp on its likelihood to occur and a pretty good repository of information you can apply to implementing security controls.
We now have identified two “starting points” or foundational pillars of a risk assessment approach: threat intelligence and asset management. There are many others, but these are two good examples. There is another way to think about these approaches: threat intelligence approaches risk assessment from the threat actor perspective and asset management approaches risk assessment from the organization’s perspective.
These two perspectives should not be viewed in solitude. Gathering threat intelligence with zero asset management and profiling effort is fairly pointless. Doing asset management is good, but having zero idea what threat actors are using which tools and tactics make asset management a much more toothless strategy. These two strategies also have to be paired with a wealth of other strategies like business intelligence (how will a merger or acquisition affect our risk posture?), strategic planning (how will a new CTO coming in affect our risk posture?), geopolitical intelligence (do we open ourselves up to risk opening a new office in China?) and plenty more. Some of these strategies aren’t applicable to all companies: if you’re a solopreneur, you probably don’t have to worry about a new CTO coming in or opening a new office in China. If you’re a multi-national, most of these strategies are applicable.
Risk Assessment: A Continuous Strategy
My intention with this article is not to give you a book-length, step-by-step explainer on risk assessment. I approach it on a case-by-case basis with my clients because every organization will have a different applicable strategy or set of strategies. What’s important is not necessarily the steps, it’s approaching the problem intelligently, logically and with caution and intention. This is a vital part of protecting your business, which is why I offer risk assessment strategic consulting as part of my security strategy offerings. If this is something your organization needs assistance with, I am one EMail away.