editione1.0.0
Updated October 9, 2023Much like your business is rapidly changing, the world in which it operates is changing too. In fact, all of the elements that you used to calculate your risk will change. We should consider a risk calculation to be correct for a particular moment in time, rather than something final that will remain unchanged forever.
Many factors can cause risk to change. Try to find ways to identify these changes and how they might affect risk for your company.
Increased brand awareness and publicity. For those of us who are building product- or marketing-led businesses, this is the security curse of our approach. The more well known we become, the more at risk we are. Simply put, attackers have to know you exist before they will try to cause you harm. You may find your success leads to increased security pressure and risk.
Using a very well-known or popular technology. Remember that our attackers can sometimes favor the easiest route. They will often spend time finding vulnerabilities in popular technologies so that they can potentially attack more targets. If you are using a very popular technology or framework, such as WordPress, this could lead to increased risk.
Global events, politics, and pandemics. From political unrest to pandemics, many global events impact how our people feel and change the way they interact with others. In some cases, these events may stir up unrest or potential for attack, particularly if your business could be seen as being on the “wrong side” of current events.
Whatever is going on around your organization, keep a close eye on how those events may impact your security risk. You may need to reassess and take further action.
As well as updating your risks when the world changes, you may choose to hold regular review sessions to review the risks you have listed and see if any changes are needed. Typically this would happen every six months.
You have a great memory, you have made a successful company from your plucky spirit and ability to juggle many complex tasks at once … resisting the formalization and documentation of things like risks is a natural urge. After all, you haven’t been hacked yet, so why change?
Recording (or making a written record of) risks shouldn’t be a laborious process. It’s not about killing the joy and culture of your team, and it’s certainly not about slowing down or being more wary of the world. Recording risks is simply a mechanism for making consistent decisions about how you will approach a challenge, sharing that decision with those who need to be aware of it, and remembering that decision so that if times or circumstances change, it can be revisited and allow us to ensure it remains the right course of action.
Definition We call this documented record of risk decisions a risk register.