There is one question that I ask in every risk assessment interview that time and time again has yielded the best results.
It is a question that goes to the heart of understanding how the business works, not just how the IT department operates.
It is a question that IT and Security Pros get to use on a regular basis as a part of business-as-usual conversations with employees across the business.
But this question should not be asked as a conversation starter. I use trust and rapport building to prep the interviewee for this question.
Because if you don’t, you’ll get the unhelpful answer, “No.”
If I have done my job well and the interviewee feels safe talking to me and doesn’t think I’m out to get them, they will open up in ways that surprise even the IT and Security Managers in the room.
The single best question I use to identify risks during a risk assessment is always my closing question.
“Are there any security risks we haven’t yet discussed that you think I should be aware of as a part of this assessment?”
I get very interesting answers.
“Although the in-store credit application is now online, we still receive quite a few submissions via fax. We’re trying to phase this out, but we have a file cabinet full of older credit applications that we are not sure what to do with.” As the Security Manager looks at me with a glint in her eye that says, “This is the first I’ve heard about this.”
“When I’m visiting a patient at their home, I like to keep my notes on a notepad as I’m working and then transfer them to the computer later in the afternoon or evening when my home visits are done.” Which is when I ask, “Where do you store these notes and do you ever dispose of them?”
The organization needs to have these conversations to become aware of these issues. And as an IT or Security Pro, you get to lead them.
Building trust and rapport is crucial and is why this question doesn’t work well in a questionnaire.
Want to learn more about how to extract the truth about risk at your organization and build a risk-focused security program?
I’m holding a webinar March 26th, 27th, and April 2nd where I will dive into how to build that trust & rapport during an interview as well as the step-by-step process by which I perform risk assessments.
I believe the Next Generation of IT and Security Professionals will know how to assess risk. Whether assessing risk on a small scale for a new IT acquisition, or on an organization-wide scale — evaluating risk and communicating options to leadership in terms of risk will distinguish the Next Generation of IT and Security leaders.
I’ve performed over a hundred risk assessments the past 15 years and have boiled down exactly what I do into a step-by-step process.
Register for my free webinar to learn this step-by-step process.
To Your Success,
Geoff Wilson is CEO and Security Pro Coach at Go Security Pro. Geoff helps companies with complex cybersecurity obligations create momentum around a simple, prioritized plan that supports the business goals. Geoff has a Master of Information Security from Carnegie Mellon University and a Computer Science degree from the University of Oklahoma. He taught a graduate-level Information Security course at the University of Oklahoma for four years. Geoff is a published author, has worked with the National Security Agency, has consulted with the Executive Office of the President, and has been in Information Security for 17 years.