Risk assessment isn’t just practical, it’s necessary. However, the task can be daunting if you don’t know where to start. The secret is…you can take shortcuts! Lars Neupart suggests certain ways to cut back but still begin a responsible approach to risk management.
First, don’t worry about all your assets. It’s nearly impossible to chart all of them. Start with the main business processes and go from there. You should have good sense of which processes matter most to your business, and it only makes sense that you spend more time on those.
Second, don’t worry about all threats. If you brainstorm every possible threat, you’ll quickly be overwhelmed, and you’ll be left with a list too long to accomplish. First, split your assets into types. Then identify which threats are relevant to different types. This should help you broaden your treats into more manageable categories.
Finally, look at high level assessments first. Often, you will try to look how a security incident impacts revenues, costs, image, or contractual compliance. Don’t be afraid to assess these factors collectively. It’s better than not assessing them at all, and you’ll find that starting broad gives you plenty of opportunity to see the big picture, while still leaving room for detail later.