This blog was written by a third party author.
What is a security risk assessment?
A security risk assessment is a formal method for evaluating an organization's cybersecurity risk posture. Comprehensive security risk assessments take stock in business objectives, existing security controls, and the risk environment in which the business operates. When done well, the assessment identifies security gaps in existing controls as compared with industry best practices. Assessments then prioritize opportunities to close the gaps based on the significance of the cyber risk to which they expose the business.
Security risk assessments provide a foundational starting point and an ongoing yardstick for developing a risk-based cybersecurity program. Systematically documenting technical and process deficiencies and scoring them by the potential to materially impact ongoing business missions lays the groundwork for:
- Holding meaningful discussions with executives on the business implications of security risk
- Providing the waypoints for disciplined investment in new security measures
- Measuring reduction of risk as improvements are made
- Proving compliance and ensuring investments meet regulatory standards
No matter where an organization is on its journey toward security maturity, a risk assessment can prove invaluable in deciding where and when it needs most improvement. For more mature organizations the risk assessment process will focus less on discovering major controls gaps and more on finding subtler opportunities for continuously improving the program. An assessment of a mature program is likely to find misalignments with business goals, inefficiencies in processes or architecture, and places where protections could be taken to another level of effectiveness.
The risk assessment process
The time it takes to conduct a full security risk assessment varies by the organization's size and complexity. Risk assessments for smaller or less complex organizations may be completed in less than a week, while those for larger, more complex, or highly regulated organizations can take significantly longer.
The process is typically kicked off by a discovery phase that will include exercises such as:
- Interviewing key business stakeholders to gain understanding of the core business goals that security is meant to support
- Conducting technical inventories and documenting data flows and standards to map existing IT architecture
- Collecting documentation and performing technical testing to review the security tools and controls currently in place within the architecture
Initial information gathered during this discovery phase is then married up relevant regulatory requirements and a cyber risk management framework of choice to discover where controls gaps exists. A framework informs a security risk assessor by cataloging security best practices, providing industry benchmarks, and offering established methodologies for analyzing and scoring risk incurred by control gaps.
Among the most popular frameworks guiding security risk assessment today is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which provides an end-to-end map of the activities and outcomes involved in the five core functions of cybersecurity risk management: identify, protect, detect, respond, and recover. Using CSF provides a way for assessors to score maturity based on existing controls and in the context of progress made by industry peers, offering maturity profiles for different types of organizations, with implementation tiers broken down and shifted based on the industry.
After performing a risk analysis, the assessment is then organized into a report that offers full documentation of the business priorities supported, assets at risk, controls in place, existing vulnerabilities and controls gaps found across the organization. The report will provide recommendations on the gaps that should be addressed first, based on the business requirements described by executives during discovery.
Risk-based Cyber Posture Assessment
Get a quick assessment of your security posture and make a plan to get where you want to be.Learn more
Types of security risk assessments
A security risk assessment shouldn't be confused with technical security assessments such as vulnerability assessments, penetration tests, or red team exercises. These types of technical evaluations can help inform security risk assessments, but they do not examine the risk posture with the broad scope and business-oriented perspective seen through the lens of a security risk assessment. Ultimately a framework-based cyber risk assessment is meant to inform executives and directors with analysis and summary of risk factors so they can make better big-picture decisions.
Typically, security risk assessments can be broken down into two major categories:
Qualitative risk assessments: which usually analyzes risk based on the subjective expertise of the assessor
Quantitative risk assessments: which numerically scores and measures risk based on some formalized quantification
Organizations seeking to balance the cost of security investments against the potential financial fallout of cyber risk often opt for the rigorous process of quantitative risk assessments, potentially seeking out financial modeling from frameworks like Factor Analysis of Information Risk (FAIRTM). However, the heavy lifting from this kind of analysis will prolong the risk assessment process and a less mature organization may prefer the faster broad brush analysis afforded by a quantitative risk assessment.
Often organizations will pick a middle ground, choosing to opt for a security risk assessment to be conducted through a semi-quantitative method that uses rough estimates such as high-medium-low or risk ratings from 1-5 to describe risk levels for specific program components, business units, or security control areas.
No matter how an organization chooses to conduct its risk assessment, the process should offer organizations an opportunity to honestly evaluate the strengths and weaknesses of its security program in order to clearly understand the risks faced by the business. While this can be done by an in-house team, many organizations prefer a trusted third-party to run the exercise in order to provide the added level of neutrality and expertise necessary to guide the difficult conversations between security, business stakeholders, and IT executives that may come from what the assessment unearths.