Nearly every security framework and regulation requires risk management to be integrated into an organization’s operations. The premise is that to understand the priorities, the organization must first understand the threats and what risk or impact those threats pose. It may seem obvious, but many organizations and security practitioners lose sight of this key fundamental in managing their security program.
If we first break it down into the CIA triad, confidentiality, integrity, and availability, it becomes even more clear that security is more than just a set of technical digital controls. A solid cybersecurity risk assessment entails reviewing any threats or events that can have an impact across any of those three components.
Through that lens, physical events, financial events, and reputation events are all items that must be considered, as they could impact the confidentiality, integrity, or availability of the organization.
So, what organizations should consider a 3rd party cybersecurity risk assessment, and what is the potential budget request?
For the first part of that question, the short answer is any organization. But a sufficiently mature organization may have the internal resources that are up to the task.
Organizations that lack sufficient skills, knowledge, and processes internally will find it easier to engage a partner to perform the assessment. As for budget or cost, this article will dig further into the details and outline the core factors that impact cyber security risk assessment cost and duration.
(IMPORTANT: We compiled this free report showing pricing data from 10 real Vulnerability Assessments so your firm can benchmark VA costs and avoid overpaying.)
- Scope for Cyber Security Risk Assessment
- Cost Benchmarking
- How Much do Costs Vary from One Vendor to The Next?
- How to Reduce Cyber Security Risk Assessment Costs
- Costs of Contracting an Assessment Vs Performing One Internally?
- Costs of Cyber Security Risk Assessment Vs Benefits
Scope for Cyber Security Risk Assessment
Despite the prefix “cyber”, a cyber risk assessment looks at much more than the digital or IT of an organization. A comprehensive, enterprise cyber risk assessment will entail anything physical, user, political, or digital that could have an impact on the security, financials, operations, or viability of the organization.
This may seem overwhelming and a bit gloomy, but it is not intended to be. As touched on previously, the point is to try to identify what could go wrong to determine what, if any corrective actions an organization would like to implement to lower the impact, cost, or severity of a security event.
Regardless of the scope, for a typical cybersecurity risk assessment, an organization can expect to go through the following components, covered in more depth in our “What is a Cyber Security Risk Assessment?” article.
- Scope: Determine what is in scope or to be included as part of the risk analysis for the organization. Is this a full enterprise, business unit, application, or network segment?
- Threat Identification: Review the assets, data, or users in scope to identify what could go wrong.
- Risk Quantification: What do those threats mean? What is the impact and likelihood of those threats happening? This step provides the meat of the value as it will help the organization determine the priorities and focus for the security program.
- Risk Documentation: This is where the vendor will put together a formal report to document the findings. It may include details on how the risk ratings were calculated, the methodology used, and any supporting frameworks.
- Risk Reduction: While some vendors can assist with providing this, often this is left to the organization to conduct. This is the process of identifying if the risks will be mitigated, transferred, avoided, or accepted and should be aligned to the organization’s risk tolerance.
Due to the varying types of risk assessments, budget is dependent on the scope. A full enterprise risk assessment will require a greater level of effort than assessing a business unit.
Due to this, the pricing has a very wide range. For a mid-sized organization, an expected budget of $15,000 to $40,000 would be a good starting point.
To better understand how a vendor may come to final pricing, let’s review some of the key cost factors involved with scoping and quoting a cyber security assessment.
Cost Factor #1: Scope
The largest factor in the overall cost of a risk assessment is the scope. Scope, in this use case, is referring to what level of the organization or what assets are to be reviewed and analyzed for risk. This could be full enterprise, all users, and all assets, which is the most common.
However, it can be a particular office, business unit, application, or any other subset of the organization. By keeping the scope pertinent to what is of concern or interest, an organization can keep the overall cost lower for the security assessment.
Cost Factor #2: Organization Size
The larger the organization, the more time it will require to complete the risk assessment which will increase the overall cost. This may have the largest impact when dealing with a full enterprise security assessment, but this factor can also indicate the overall cost of the project for a subset of the organization.
In general, the larger the organization the more attack surface, complexity (another factor), and overall exposure that may be presented. This all adds up to additional risks that will need to be analyzed as part of the security assessment.
Cost Factor #3: Industry
Most security services are not typically impacted by the industry. However, a security assessment will certainly be impacted by the industry which can increase the overall cost of the assessment.
Due to multiple security frameworks and requirements based on the industry, this can add complexity and additional time. For instance, working in a healthcare sector, the assessor may need to consider components of HIPAA. Financial, may have to consider FFIEC or FDIC requirements and risks, or even PCI DSS. In short, the more regulated the industry, the more cost that will be added to the security assessment to address the frameworks and requirements for that industry.
Cost Factor #4: Complexity
Complexity relates to many aspects of the organization. Information technology complexity will add the most cost as this will change the threats that need to be analyzed for risk.
An example of how this can impact the cost is an organization that operates with several subsidiaries that have varying levels of maturity and report to the core business, but all have network access. This will increase the cost as the vendor will need to spend more time with each subsidiary to understand the threat and the risk to that business unit before rolling it up to the parent organization.
Compare this to an organization of the same size with the same number of subsidiaries that operate from a single information security and information technology leadership and technology stack. It can be assumed that the controls and processes reviewed at the parent company will roll down with a certain level of efficacy and will require less time to evaluate at the entity level.
How Much do Costs Vary from One Vendor to The Next?
In general, there is no reason that hourly costs should vary much from one vendor to another. The overall effort from one vendor to the next may differ, based on the frameworks utilized. While this will impact the total cost, the hourly rate should be nearly the same from one vendor to the next.
One component of the vendor selection that will vary is related to travel costs. Some vendors charge a pass-through, others charge a weekly or flat rate regardless of spend. Expect that there will be some need for onsite work as part of the engagement and ask about the travel charge for the engagement. This is an area that, when planning, negotiation can happen. It is possible to request local resources from larger firms to help keep the cost low.
When it comes to picking a vendor, focus on the framework or assessment methodology. It is important to understand how the vendor will evaluate the threats in your environment and to ensure that it aligns with your internal requirements. If your organization is built on top of NIST, it makes sense to find a vendor that will work with the NIST Cybersecurity Framework, the same goes for ISO 27001.
How to Reduce Cyber Security Risk Assessment Costs
There are no good ways to reduce the overall cost of the assessment other than to keep the scope smaller or only to the required assets.
A full enterprise assessment will not provide much wiggle room to lower the overall cost. The only real option is to work with the vendor to agree to a smaller time box for the assessment.
The biggest risk in this approach is that there will not be adequate depth to the assessment which will reveal fewer risks. In this instance, it can provide a false sense of the maturity or capabilities of the security program and investment. This could leave the organization open to not properly funding or investing in the security program and could very well lead to a breach or incident.
(REMEMBER: We compiled this free report showing pricing data from 10 real Vulnerability Assessments so your firm can benchmark VA costs and avoid overpaying.)
Costs of Contracting an Assessment Vs Performing One Internally?
There are many tools and frameworks that can be utilized to conduct an internal assessment. Some require you to pay for them and others are open source or free. With that in mind, the overall cost of conducting the assessment can range from free, minus the time for the employees, to just as much or more expensive as engaging a third party.
When deciding to conduct an internal risk assessment there are a couple of things that should be considered before starting the process.
- Does the organization have internal expertise? If not, is the organization willing to invest in training to develop this capability?
- Does the organization desire or require more frequent risks assessment than yearly? If so, it may be cheaper to invest in the internal capability.
- Can the internal assessor act independently and without bias? It is critical to be free of bias to make sure that risk is assessed appropriately.
- What framework will be utilized? Will the organization need to purchase?
Many of these questions are items that a third-party vendor can answer easily. However, that comes with the cost of using a third-party vendor to conduct the assessment. So, when considering conducting internally vs. externally, it is important to compare the internal costs of tools, time, and training to the overall contract cost.
Costs of Cyber Security Risk Assessment Vs Benefits
To be blunt, every organization should conduct a yearly risk assessment at the least. The assessment can provide valuable insights into areas of the security program that need to mature, evolving threats, degradation of security controls, and (quite possibly most important) potential exposure to the company.
It is nearly impossible to appropriately gauge or develop a security roadmap without knowing what risks are of concern for the organization. Further, it is entirely likely that the organization will devote time and budget to a perceived risk that does not exist, thereby wasting resources.
Another reason an organization should consider a risk assessment is any time a major change is happening. This could be the launch of a new application, a move to the cloud, or the acquisition of a new business entity. All of these can drastically change the exposure of the organization which can impact the focus of the security team. It is important, when possible, to work from an updated set of risks to ensure that budget and effort are being placed in the right places.