Sage Conversations: The Value of Assessment

May 21, 2012
Documentation of risk and security processes is critical to long-term success

What if you could free up 5 to 20 percent of your current budget year over year? A fully qualified risk assessment, along with a security process optimization assessment can help do just that. What value are you leaving on the table by not having them?

A fully qualified risk assessment provides you: the risk profile of your organization (strategy, business and all-hazards risk alignment); a continuity profile for your ability to respond to risk; and a financial profile for measuring the cost/value proposition of risk decisions.

Here are the benefits of a security process optimization assessment:
• A documented review of your risk/security information architecture and applications around the “-ilities” (scalability, reliability, maintainability, usability, etc.);

• A review of your identity architecture measuring the instances of stored identities, people and processes to manage them, and the technology or tool investment to support it all;

• A review of data aggregation, classification, measurement and analytics that provides you the platform for understanding how you are leveraging the information you are collecting or not collecting. This would include regulatory or internal standards and it would include an assessment of your ability to persistently monitor, manage and measure he risk/continuity and compliance scorecard you develop.

• A review of the interaction of the technology (or tools) with the people who use them to fulfill the cost/value proposition — allowing for a baseline standard that can be used to measure the performance of the people, process and the technology; and

• An assessment of the cost/value of your infrastructure for specifying solutions, evaluating vendors, on-boarding vendors and managing a bid process. This would include a value assessment of each input and how that input translated into future performance — an enormous hidden cost that most organizations never quantify or question.

If you are like most leaders, you have not inherited a risk assessment or a security process optimization assessment. However, this information represents a continuous data stream that is critical to your long-term value position in your organization.

In next issue’s column I will discuss some approaches you might consider going forward.

Ronald Worman is the founder and managing director of The Sage Group.