I had a nagging worry that something was wrong with my car, so I finally decided to take it to the dealer. I couldn’t exactly describe my concern, except there was an intermittent, “funny noise” coming from somewhere in the front end. An unscrupulous dealer would have taken me down a long path of parts replacement, beginning with tires, then wheels, then tie rods, and on and on, perhaps never fixing the real problem. Fortunately, my dealer was honest and performed diagnostics, ultimately discovering that the rack and pinion was failing. The part was under warranty, so the repair cost me nothing and my funny noise is gone.
Was my worry constructive? Yes. It also went hand-in-hand with my own risk assessment. What were the chances that the noise foretold a failure that would cause an accident? Would I or others be hurt in the accident? As it turned out, a failure could have been catastrophic. In this scenario, I could prudently act on my worry because I had a basic understanding and control of the situation. But it’s not always easy to act on worries—particularly if you don’t understand the issues or potential risks.
It’s reasonable these days for everyone, particularly lawyers, to have a nagging worry about information security. That’s where independent risk assessment comes in. Most lawyers know just enough about accounting and finance to help them profitably manage their firms, calling in experts when needed. The same should be true for information security. An independent security risk assessment not only identifies risk, it also helps to educate regarding likely threats and vulnerabilities.