Navigating the Unseen: How to Handle and Prevent Missing Risks in Cyber Assessments

It's a common, yet unsettling, scenario in cybersecurity risk assessment: discovering a crucial component was overlooked after an assessment is complete. The question often arises: "How do you handle missing risks in a risk assessment? What can you do in the situation, and how can you prevent this from happening again?"

Let's unpack this compound query, focusing on mission-based cyber risk management and practical prevention strategies.

Missing Risks or Missing Vulnerabilities? A Crucial Distinction

When someone says they "missed a risk," they often mean they missed a vulnerability or an entire component that could introduce or alter the overall risk posture. As illustrated by one individual's experience:

"I realized a few months after supporting a piece of work that I didn't go over the AI component of the system. I'm retroactively reviewing and amending the document to reflect properly, but I'm getting some frustration from stakeholders. So what can you do in this situation?"

My advice? Do not go back and retroactively "fix" a published report. Amending a past report can create confusion and erode trust. Instead, address it proactively and strategically.

Handling the "Oops" Moment: A Proactive Approach

If you discover a significant oversight like a missed AI component, here's how to manage it:

1. Don't Amend, Complement: Instead of trying to alter the original report, note the omission and propose a complementary assessment or follow-up analysis specifically for the missed element.

2. Informal Conversation First: The most crucial step is to have a direct, honest, and informal conversation with the relevant stakeholders and leadership. Explain that a critical element was identified that could potentially impact the previously assessed risk posture. Frame it as an opportunity to enhance the accuracy and completeness of their cyber risk profile.

3. Propose a Path Forward: Discuss whether they would like you to perform a focused reassessment of the missed component. This open dialogue fosters a give-and-take relationship rather than a reactive, potentially defensive, "fix."

Your energy is best spent on preventing future omissions and establishing a robust cyber risk assessment program.

Preventing Future Blind Spots: A Structured Approach

You need a disciplined, structured approach to avoid missing critical elements in future cyber risk assessments.

1. Establish a Framework and Methodology

This is your blueprint for consistency and comprehensiveness.

• Framework (The "What"): This is your baseline, defining what you will assess consistently across all applications and systems. I advocate for a mission-based, mission-oriented framework. This means:

  • Considering the criticality of the solution and its direct impact on corporate mission objectives.

  • Evaluating the solution's contribution to the organization's ability to maintain services, deliver products to clients, and uphold shareholder value.

  • For example, I assess five classes of assets against the six NIST Cybersecurity Framework functions. This provides a consistent structure that ensures no broad area is overlooked.

• Methodology (The "How") details how you will conduct the assessment. This includes:

  • Whether you'll conduct a full assessment or a sampling strategy.

  • Your process for selecting targets.

  • The specific types of questions you'll ask during interviews and discovery.

Establishing this framework and methodology from the outset ensures you cover all bases and prevents the "Oh, I missed this in the last assessment" scenario.

2. Define the Assessment Scope – Especially "Out of Scope"

Don't just go in blindly. You need a clearly defined scope for your assessment. Even more importantly, explicitly define what is out of scope.

Communicating what you won't be assessing, and why (e.g., due to people, process, technology, time, or budget constraints), preemptively answers questions from leadership like, "Why didn't you consider this?" It also sets expectations that these "out of scope" areas might be the focus of future assessments.

3. Rigorous Analysis: Identifying Vulnerabilities and Their Impact

This is where you move from finding "risks" to identifying vulnerabilities and weaknesses. Your analysis should:

• Connect Findings to Mission: Explain how specific vulnerabilities or findings could impact the overall resilience of the solution and, by extension, the organization's mission.

• Comparative Analysis: Benchmark your findings against established organizational standards and industry guidelines. Deviations represent weaknesses that need to be addressed.

4. Conclude with Actionable Insights and Recommendations

Your conclusion should tie everything together:

• Alignment: Emphasize the need to align with industry best practices and your organization's internal standards.

• Control Implementation: Highlight how implementing security controls can diminish identified risks.

• Recommendations: Provide clear, actionable steps for remediation and improvement.

• Closing the Loop: Outline how findings will be tracked and verified to ensure risk mitigation.

The Programmatic Approach for Continuous Improvement

Having a framework, methodology, defined scope, thorough analysis, and actionable conclusions – all documented – is paramount. This structured, programmatic approach prevents forgotten steps and ensures consistency.

While reacting to a past omission, prioritize transparent communication and propose a follow-up. For the future, invest in building a robust cyber risk assessment program with well-defined processes. This systematic approach, especially one rooted in a mission-based principle, will significantly reduce the likelihood of missing critical elements and enhance the overall effectiveness of your cybersecurity posture.

Do you have any specific elements of a cybersecurity risk assessment framework you'd like to delve into further?