Securing Information
Strengthening Business

The Ideal Profile of the Risk Assessor

iStock_000019600119XSmall Who is in charge of assessing information risk in your business? Here at Ascentor we are really strong advocates of Information Risk Management as a tool to effectively and efficiently manage the information risks faced by business of all shapes and sizes. But it needs to be done properly if it’s to have the desired effect.

IRM is a discipline whose purpose is to understand an organisation’s information risks and then put in place optimised, appropriate, pragmatic and cost effective mitigating controls. There are many aspects to an IRM system but plum square in the centre is the risk assessment.

If the risk assessment does not reflect the business then there is a strong likelihood that the output will be inaccurate, which could lead to unrealistic security controls (either too much or not enough security). Getting the risk assessment ‘right’ is a critical aspect of IRM, so what are the skills and experience needed by the person carrying out this critical task?

Seven crucial skills your risk assessor needs

Diplomacy and tact : whether the risk assessment is part of a gap analysis, a snap shot for a new system, or as part of an annual review, for the assessment to reflect reality the truth must be obtained about what really happens, as opposed to what the business thinks should happen. The assessor must be able to get to the facts without alienating, upsetting or making people worried. To make this happen, senior management must be fully behind the exercise and accept that uncovering the truth (however unpalatable it might be) is key, so that people offer their knowledge without fear of recriminations.

Excellent communicators : the ability to talk and listen to any level within the organisation, from shop floor to board room. For example, the language used when speaking to the IT department is completely different to that used when talking to HR, and your risk assessor must be able to make everyone feel at ease and confident so that they talk freely.

Qualified and Experienced : Having a recognised professional security qualification does not in itself mean your risk assessor will provide you with an effective assessment. Combine qualifications with experience and knowledge of different risk assessment methods, and then your assessor will be able to execute an effective risk assessment that reflects reality, and give practical advice on what is most appropriate for your business.

Business Focused : IRM is all about making sure the security applied to valuable information is appropriate and cost effective. The assessor needs to keep this as a central tenet when carrying out the assessment and therefore requires a good understanding of the businesses. Security runs through all areas of the business. During the assessment it may be evident that changing business process may reduce risk, and reduce cost whilst still achieving the business aim.

A thorough understanding of technology – Information security is more than IT security but IT has a massive part to play so the assessor must be able to understand the strengths and weakness of modern ICT technology so that vulnerabilities can be identified when interviewing IT staff or assessing architectures and designs.

Vendor and technology neutral – Your assessor needs to stay focused and neutral. During the risk assessment it’s important to concentrate on what the risks are, and not to get distracted by potential solutions until the risks are fully understood.

Holistic viewpoint. The scope of the risk assessment will influence this, but security stripes across all parts of a business and it may be that the assessor identifies something that would not normally be seen. This could be a good thing or a bad one but the important point is that it is identified so that the business can make an informed choice about how to deal with it.

Do you have this shaped person in your company carrying out your risk assessments? If you do, that’s great. They will be doing a fantastic job helping your company avoid a costly information security incident. If you don’t and you would like an independent person to assess your information risks, use this checklist as a guide to help you find them, and make sure they are truly independent and vendor neutral.

If you would like to find out more about what an information risk assessment is and how Information Risk Management (IRM) can help your business please give Dave James a call.

Telephone: 01452 881712 or 07787 506889


For Further Information

If you have any questions about the topics we've covered, or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the team at Ascentor.

Please use the contact details below - also found on our Contact Us page.


Fields marked with an * are required
Share this:

You may also be interested in:

Building business resilience - through Information Security, Business Continuity and Disaster Recovery

How would you recover if something went drastically wrong with some, or all of your business operations? When we think of worst case scenarios,

Ascentor’s cyber security review of 2020

2020 wasn’t the first year where a virus emerged causing large scale disruption and opportunities for cybercrime. It was, however, the first time

Cyber security myths home workers fall for

From King Arthur to the moon landings that (allegedly) didn’t happen, it’s surprising what people want to believe without any real basis in fact.