Number exercise
Jun 30th, 2012 by Jesper Kråkhede
I just reviewed a risk analysis conducted at one of my clients. One thing that struck me was that this must have been conducted by some accountant with security skills. The risk analysis is adequate and fulfils the goals set but the analysis in itself is a number exercise way beyond the useful. Numbers upon numbers upon numbers, multiplied and multiplied, colour coded and twisted again to some up with a RAG (Red, Amber, Green)…and nothing how to solve the problems! There are comments on mitigations but those are so very high level that they are not useful at all.
I´m to some extent 😉 a sucker for security architecture but to my experience when delivering similar reports the analysis where I point out security architecture components are the ones that actually delivers a value to the client, on both management and techie level.