The Biggest Hurdle in Cyber Risk Assessment Isn't Tech, It's People

Written By Bill Souza

As cybersecurity professionals, we often dive deep into the intricacies of networks, code, and vulnerabilities. We assume that identifying assets, scanning for weaknesses, and generating reports are the core of cybersecurity risk assessment. But if you've ever spent a day in a corporate environment, you know the biggest challenge isn't the technology; it's the people.

Today, let's explore two critical points: how we got here and, more importantly, how we get out of it.

How We Got Here: The Education Gap

Many of us come from academic backgrounds or have pursued certifications, which excel at teaching technical skills. However, they often fall short in preparing us for the human element of risk assessment. There's an underlying, yet flawed, assumption that our job primarily involves technical execution: identify assets, scan, calibrate risk, and print a report.

The reality is far more complex. Before you even touch a tool, you need to:

  • Engage stakeholders: Ensure key individuals are prepared and agreeable to the assessment.

  • Schedule appropriately: Find optimal times that align with operational demands.

  • Gather crucial information: Obtain details about solutions, underlying architecture, and more.

  • Conduct kickoff and discovery meetings: Establish scope and build rapport.

This entire preparatory phase is heavily reliant on interpersonal communication and stakeholder management. Colleges and certifications, designed for niche, functional learning, rarely bridge this gap between theoretical knowledge or technical practice and the realities of corporate politics and collaboration.

While colleges might teach presentation skills, they often lack the consistent, real-world application necessary to build confidence. That feeling of discomfort presenting in front of a class? It often carries into the corporate world because we haven't adequately practiced these soft skills in a professional context. If you can't get people on board, your assessment might not even get off the ground.

How to Get Around It: Influencing for Mission Assurance

The good news is there are effective strategies to overcome these people-centric challenges.

1. Informational Influence: The Power of Your Story

You possess valuable information, and how you present it can influence others to support your initiatives. This often requires stepping out of your comfort zone to tell a compelling story. My strongest recommendation here is adopting a mission-based approach.

Let's illustrate the difference between a traditional risk-based approach and a mission-based approach with an example:

Imagine two systems, both with the same critical, exploitable vulnerability:

  1. A mission-critical system that directly impacts your organization's core products and customer delivery.

  2. An internal accounting system handling payroll.

From a purely risk-based perspective, both might appear equally critical due to the vulnerability's severity. They might even have similar network protections. But when you apply a mission-based lens, the prioritization changes dramatically.

If the accounting system goes down, it's problematic – perhaps leading to regulatory issues or negative press. However, if your mission-critical system fails, customers will immediately feel the impact. Your organization's reputation will suffer, and its ability to deliver on its primary objectives will be compromised. This is where mission-based cyber risk management truly matters. It helps you prioritize actions that directly protect your organization's purpose.

When you frame your assessment findings and needs by connecting them to the organization's mission and strategic objectives, you speak the language of every leader. You give your work significance that resonates far beyond technical jargon.

2. Running a Pilot: Build Trust and Demonstrate Value

Another powerful technique is to run a pilot assessment. Engage a leader and explain that you want to test your methodology on a parallel or less critical system. Crucially, emphasize that findings from this pilot will not immediately require remediation or be reported directly to senior leadership. This reduces political resistance and allows you to:

  • Test your processes in a live environment.

  • Gain experience in stakeholder engagement.

  • Demonstrate your capabilities without immediate pressure.

This approach builds trust and shows stakeholders the tangible benefits of your assessments in a low-stakes environment.

3. Show Other Results: Leveraging Past Successes

Have you conducted a successful assessment on a different solution or application? Use those results! Share what you discovered and explain how similar insights could benefit their mission-critical systems. This again leverages informational influence, showing a track record of value.

4. Quantify Your Needs: Clear Expectations

Finally, clearly quantify what you need from stakeholders, mapping it to their mission. For example: "I'll need X days of your team's time, X resources, probably a couple of meetings, and most of the work will be on my end. After that, we'll deliver a report directly to your leadership, highlighting how this assessment strengthens your mission delivery." This transparency helps manage expectations and secure buy-in.

We might have arrived at this challenge due to gaps in traditional training, but there are clear paths forward. By combining your technical expertise with a bit of creativity and, most importantly, a mission-based approach to your cyber risk management, you can transform the "people problem" into a strategic advantage for your organization.

Bill Souza https://www.execcybered.com
Previous

Navigating the Unseen: How to Handle and Prevent Missing Risks in Cyber Assessments
Next

Mastering Cyber Asset Sampling: Optimize Your Assessment Process