SibylSoft Logo

Guest Post: Risk Assessment Questionnaires - How Administration Shapes Security Culture

Brendan Miller, Director, ISO Governance, Risk, and Compliance Team (ISO GRC Team), University of Arizona • February 18, 2024

At first glance, risk assessment questionnaires appear straightforward.

These assessments involve presenting questions that, when answered, indicate the current state of security practices or identify areas where a security practice cannot be identified at the time the questionnaire is answered. 

 

However, there's a crucial yet often overlooked aspect to how these assessments are conducted that significantly influences how teams perceive their role within the organization's security culture. The key question in administration is: who is responsible for conducting the risk assessment?

 

When a security professional conducts a risk assessment, it sends a message to the team being assessed that only someone in the security field can effectively and accurately handle this task. Conversely, when a team is given the authority to conduct their own risk assessment, it signals that they are accountable for selecting and implementing suitable security measures in their work, indicating trust in their judgment and capabilities.

 

This nuanced yet crucial change in perspective significantly influences how teams perceive their place within their organization's security culture. It's a pivotal decision for security professionals to weigh when deciding how to position their risk assessment approach.

 

This doesn't mean that security professionals aren't essential in risk assessment. In fact, many decisions made during the development of a risk assessment have significant implications for security culture. Every aspect of the risk assessment process sends messages to teams about the organization's priorities in security practices, the depth of understanding expected, the allocation of security responsibilities, and more. Therefore, security professionals should carefully consider providing teams with sufficient training, selecting relevant questions, tailoring questions to their organization, referring to supplementary materials when needed, and offering expert guidance through consultation.

 

In summary, the way risk assessment questionnaires are administered significantly influences an organization's security culture. Whether led by security professionals or teams, this decision affects perceptions of responsibility and trust. It highlights the crucial role of security professionals in guiding assessments and aligning them with organizational goals to promote a culture of security awareness and responsibility.

Powerful Cyber-Risk Automation Behind an Easier User Experience

By Sonya Lowry June 17, 2024
SibylSoft is proud to announce the release of Sibylity Professional!

Reimagining Cybersecurity

By Sonya Lowry June 13, 2024
Insights from ProPublica's Investigation into the SolarWinds Breach

Debunking the Myth: The Reality of Automated Cyber-Risk Management

By Sonya Lowry March 13, 2024
It certainly seems like there are a ton of new cyber-risk management vendors, but are things really what they seem?
a group of people are sitting around a table with laptops .

Spotlight on New Features: Remediation Management

By William Seccombe February 11, 2024
SibylSoft proudly unveils Sibylity's new remediation management tools.
a group of people are sitting at a table with laptops in front of a shield .

Federated Cybersecurity: What makes a cyber-risk management practice effective?

By Sonya Lowry February 10, 2023
Managing cyber-risk is not just a compliance obligation; it's a strategic imperative that can streamline your cybersecurity investments. Rather than regarding it as a mere necessity, embracing a robust risk management program can be transformative. But the question remains: what defines an effective cyber-risk management strategy, and what attributes should you seek in your risk management tools?
a group of people are sitting around a table with computers .

Bridging the Gap: Federated Cyber-Risk Management and the Power of Collective Responsibility

By Sonya Lowry January 11, 2022
In the traditional model of organizational cybersecurity, responsibility is often a centralized affair. This creates a singular pressure point and when breaches occur, the resulting shockwaves are felt throughout the entire business structure. It is a system fraught with ambiguities over who is responsible for what, leaving a perilous gap that can lead to significant security lapses.
Thia is standing next to a Sibly, a green robot .

Meet Thia!

By Sonya Lowry August 4, 2021
Meet Thia! Thia is Sibylity's expert system that is there to guide you and your users through your participation in your organization's cybersecurity practices. Thia alleviates the tedious aspects while providing valuable insight that is understandable by those new to cybersecurity and experience analysts, alike. Consider Thia not just a tool, but a mentor guiding your organization to cultivate risk-aware practices and a cybersecurity-aware culture.
Sentinel Peak

Guest Post: From Our Friends at the University of Arizona

By Sonya Lowry February 18, 2021
Our Friends in Tucson Worked Together to Make this Video for Us
Share by: