This Critical Asset and Risk Prioritization tool is named “Pairwise Comparison”, because it is based upon ranking items by addressing them one pair at a time. It can be used for one or both of two purposes:
Consensus Use: To obtain a consensus among business unit managers and/or senior executives (i.e. critical asset stakeholders) for ranking critical assets and risk mitigation measures so that assessment actions and protective measures can be scheduled according to the needs of the business.This can be important when budgeting requires that some security measures may be implemented in the current or upcoming budget period, and some must wait until the following budget period. In the case of annual budgets, a year-long delay may be a significant risk period. For a set of risks that all involve significant potential impacts, a delay of even a few months may result in too much exposure, such as for gaps in regulatory compliance.
As a security leader, it is a better position to be in to gain consensus among the stakeholders, whose combined opinions set the priorities, than to set the priorities yourself and held to blame for any undesirable consequences of the prioritization decisions you make.
It is a winning approach to start the ball rolling on the most highly prioritized security measures (per consensus), and then to work with the stakeholders closest to the lower priority set of risks to implement temporary measures that are worth implementing for the sake of lessening the potential business impacts until the full set of measures can be put into place.This approach gains maximum support for you and the security measures being implemented from the set of critical asset stakeholders.
Financial support for interim security measures sought by business unit managers are more easily approved by senior management, than if presented as a budget request based upon your own personal desires or preferences.
Insight Use: When prioritization is not critical or doesn’t apply to get approval, it can still be very beneficial for Security to gain additional insight into the thinking of critical asset stakeholders and the functions that depend upon the critical assets. The pairwise comparison process can be used as a means to obtain specific about risk factors, especially business impact.
As part of the pairwise comparison discussion, ask: “What are the worst business impacts that could result from [insert critical asset] being compromised?” Often there are multiple types of impacts, such as financial, public reputation, employee morale, production, product quality, partner relations, customer relations, investor relations, regulatory compliance, injury or death, and so on. Another revealing question is, “Who would have to approve doing nothing about the risk of these impacts for the next year?”
It’s one thing to say “No” to expenditures, another to say “Yes” to the resulting risk. Even when full budgetary support for desires security improvements is available, is it valuable to know what senior stakeholders won’t have to be consulted about risk acceptance―and can instead be informed about risk mitigation requested or approved by the business unit managers.
This is one way of making the value of the Security function clearly known to senior level management.Another important use of this tool is to enable scheduling of security measure implementation to minimize the disruption to routine or special business activities, and to business unit personnel who may be impacted by the implementation. Areas that will be impacted most by the security measure implementations may desire more time to prepare for them.