How to Conduct a Cybersecurity Risk Assessment

This article provides a step-by-step guide for conducting a cybersecurity risk assessment to identify and prioritise potential threats to your business.

What I have learned over time is that security starts with your understanding of the business. It is not enough to follow frameworks like ISO 27001 (International Standards Organization) or NIST (National Institute of Standards and Technology) to be successful. Knowing how the business operates and generates a profit is key to understanding how you assess risk.

The cybersecurity risk assessment is often the first task you undertake when you start a new job as CISO. The goal of the assessment is to identify your critical assets, threats to these assets, and the vulnerabilities you have in defending your assets. A thorough assessment of your current security posture is a great starting point.

The first thing we need to do is to identify our critical assets. Dr. Eric Cole at Secure Anchor Consulting ([] ) suggests you start with a simple table listing your top 5 critical assets, top five threats, and finally, top five vulnerabilities. Your assets may include your network, hardware, software and data your business depends.

Critical assets you want to identify include are your business data, software and applications, and networks. Understanding what assets are the most valuable lets you identify and prioritise the assets you need to protect first.

We then assess the top five threats that can be exploited and the chance of the threats occurring. The assessment includes the known vulnerabilities and the impact on the organization should they occur. Assessing the impact is a key activity often ignored.

Understanding how the business operates and makes a profit is key to prioritising the risks you have identified. You should include financial, legal and consequences to your reputation in addition to the operational impact of a cyber event. You need to determine which of the threats you will address first.

The next step is to implement the security controls that will mitigate the threats. Frameworks are a great starting point, but all organisations are different. You have to involve the business and the domain expertise available to you to truly understand how you manage cyber risk.

The final point of discussion is monitoring. Here we have to be careful to not create a monster that collects firewall logs and network data that will not make your assets safer. As the threat landscape is in constant motion, you need to change with the needs of your organization. Now might be the time to bring security expertise in-house or consider bringing in a quality consultancy to assist.

In the end, communication between IT and the business is key to achieving the best result for your organization. In addition to a team well versed in cybersecurity, you need to involve senior management and make them understand the threat landscape, time and budget you need to mitigate threats, and of course, the consequences of not managing risk in a robust manner.