A cyber security risk assessment, not to be confused with a vulnerability assessment, is the process of evaluating and codifying the risk to your organization through a process of evaluating assets, controls, threats, and attack techniques.
Many components of the risk assessment will be subjective, in that decisions will be based on opinion or experience, but that does not mean that every risk assessment will be a subjective process. In many cases, these assessments can leverage real-world data to determine applicable risk, impact, and severity to assist with assigning an appropriate risk.
This article will explore the value of cybersecurity risk assessments, including what they offer, how long they take, how much they cost, and why your firm might consider one.
- Why Perform a Cybersecurity Risk Assessment?
- How a Security Risk Assessment is Different
- The Security Risk Assessment Process
- How Long Does a Security Risk Assessment Take?
- Security Risk Assessment Tools
- How Does a Security Risk Assessment Help?
- How Much Does a Security Risk Assessment Cost?
- What Are These "Free" Risk Assessments?
- Do Security Risk Assessments Vary from One Vendor to the Next?
- How to Choose a Risk Assessment Vendor?
Why Perform a Cybersecurity Risk Assessment?
If the process is subjective or is identifying potential impact, why would an organization want to perform this? Well, the biggest reason to perform this test is to identify what is most important to your organization, where your organization wants to focus, and to define a risk tolerance by which to manage the potential impact.
This helps to keep security teams, executives, and senior leadership focused on the right areas of the business to help lower the potential impacts of a cyber incident.
By focusing on lowering the risk by mitigating controls, remediation, or transferring risk, an organization can proactively address the risk and lower the overall impact of a future event.
How a Security Risk Assessment is Different
As touched on in the introduction, a cybersecurity risk assessment is not a vulnerability assessment or a penetration test. Those services focus on identifying and closing vulnerabilities and configuration issues in the environment that could be exploited. Any results or evidence gathered from those assessments should feed into the cyber security risk assessment as empirical data regarding existing controls, like patch management.
At a high-level, cybersecurity risk assessment will focus on reviewing all assets, controls, processes, and policies that exist for an organization through a risk-based approach. The assessment will consider threats and risks that could impact the organization in an adverse way, with a resulting action item that may entail remediation, transferring acceptance, or mitigation.
By evaluating controls, processes, assets, and policies through a lens of risk or threats, an organization can identify weak or missing controls that could leave them open to a breach, reputation loss, or revenue loss.
In a nutshell, a cyber security risk assessment will take a holistic view of the environment, people, and processes that an organization has or has not implemented as part of the day-to-day operation.
The Security Risk Assessment Process
There are many frameworks that can be utilized to assist with performing a cybersecurity risk assessment. Any vendor engaged will likely utilize one of these existing frameworks to perform the assessment, and it is highly recommended that your organization request that the framework utilized be identified so future assessments can be based on the same framework. This will provide your organization the ability to gauge maturity and improvements as subsequent assessments are performed.
When it comes to the process of performing a risk assessment, most assessments are broken down into five key phases. Some frameworks may have more steps or components, but in the end, most can be broken down into the following:
Risk assessments can come in many different shapes and sizes. The scope is critical in attaining the end goal that is desired for the organization. For instance, if the organization is concerned about exposure to a contractual requirement for a customer-provided service, a full enterprise risk assessment is not appropriate. In this case, it may be most appropriate to perform an application risk assessment that entails only the assets, processes, people, and controls that are relevant to that service.
Selecting the right level, sets of assets, controls, processes, and people is critical to keeping scope manageable and getting to the data that is most important for an organization.
This phase can often be broken down into additional steps, depending on the framework utilized for the assessment. The core of what will happen during this phase is that a review of the assets or data in scope will be conducted to identify what could go wrong and how. This could involve utilizing known attack or exploitation techniques, or it could involve reviewing potential human error events that could impact the business.
Keep in mind that this will include threats that could result in a breach or impact to revenue, reputation, or operations of the business. All these results are important to consider and should be addressed in alignment with the organization’s risk tolerance.
Risk quantification is the act of applying the rating to the identified threats and resultant events identified in the previous step. During this review, it is common to utilize a 5×5 matrix to quantify the total risk based on the likelihood and impact of a threat or event taking place. However, the risk identification formula can be more complicated than that.
Some vendors choose to add additional factors like detectability or exploitation complexity to assist with prioritization. Detectability is the likelihood that control would allow the organization to detect the threat being exploited or identified during or before the event; while complexity is often an attempt to identify how skilled the attacker may need to be to exploit the event.
Either one of these added to the risk formula adds complexity but can assist with determining the focus for remediation for two risks with the same impact and likelihood. For instance, an organization should focus on the harder to detect risk or the easier to exploit risk first, depending on which value is used in the formula.
This step is essentially the reporting phase of the risk assessment. Depending on the output for the vendor or the tool utilized, it can be a formal report with an executive section, summary, and resultant risks, or it can be a file that contains all the risks identified along with supporting information. Consider this the formal reporting and finalization of risks and current controls applied to those risks.
Depending on the engagement, this may or may not be a part of the assessment. Some vendors will offer to provide services to help in identifying risk reduction steps (mitigation, remediation, transfer, acceptance) as part of the final phase of the assessment. Regardless of whether a vendor provides this or not, an organization should go through the formal process of identifying what steps will be taken to reduce the risks’ likelihood, impact, or both. After all, the whole point of the risk assessment is to identify what could go wrong, what it would be, and how it would impact the organization so that proactive steps can be taken.
How Long Does a Security Risk Assessment Take?
When it comes to a risk assessment, the timeline is very fluid for most organizations. Just like with any other security service, scope plays a huge role in determining the overall length of time investment in the process.
A full enterprise risk assessment could take 2 to 4 weeks for a small organization with a large enterprise taking well over a month, even a quarter, to complete. Because of this, it is extremely important for the organization to identify the appropriate scope upfront so that time is invested in reviewing the risks that are of most importance.
Do not ask for a full enterprise risk assessment, if you are only concerned about how a new application will impact your organization. Rather focus on an application risk assessment, which could be done in one week versus the enterprise that might take 4 weeks to complete.
Security Risk Assessment Tools
When it comes to tools utilized for a risk assessment, there are many that are available. Some are free; others you need to pay for. Depending on the scope, different tools will come into play. However, we can break the tools for an assessment down into the following:
- Framework – what will be utilized to assess? These can be frameworks like NIST CSF, ISO 27001, FAIR Framework
- Automated testing tools – These could be network vulnerability assessments, application security testing tools, or other automated tools to identify vulnerabilities.
- Questionnaires – Your organization may be asked to answer specific questions on processes and procedure. This could involve sending similar questions to vendors to understand their maturity as well.
- Governance, Risk, and Compliance tool – This may or may not be utilized depending on the size of the vendor and if your organization has licensed for one. This tool would be utilized to capture all the data requested or needed to conduct the assessment and the results.
How Does a Security Risk Assessment Help?
The short answer to this is that the risk assessment will identify risks to the organization and the impacts on financials, regulatory, contractual, or other operational capabilities. By documenting and understanding the risks, the organization can be proactive in lowering the overall risk through the reduction of impact or likelihood.
Another very large benefit is the ability to appropriately allocate resources, both financial and people, to work or projects that are most critical to the organization. These benefits can be beneficial to an organization of any size or maturity. In fact, a smaller, less mature organization should consider doing a formal enterprise cyber security risk assessment before embarking on any major projects.
An organization should keep in mind that a risk assessment, both one-time and recurring, is a key cornerstone for many security standards and certifications in the industry. ISO27001, SOC2 Type 2, PCI, and even GDPR all require that an organization have a risk assessment process. In fact, it is not required to perform the risk assessment once but on a regular interval, usually no more than 1 year apart.
How Much Does a Security Risk Assessment Cost?
A cyber security risk assessment can range in cost from $12,000 to north of six figures. Due to the scope varying in size, which directly impacts the overall cost, it is hard to pin down the exact cost for a risk assessment.
An organization should expect to spend no less than three weeks on an in-depth enterprise risk assessment with a third party, which is likely to be in the $25,000 to $40,000 range.
What Are These “Free” Risk Assessments?
While there are firms that are offering free assessments, in many cases, these are assessments are going to be very high level and may not be of much value.
In most cases, it appears that these assessments consist of answering some questions, describing some of the processes the organization has in place, and reviewing a small subset of threats.
Keep in mind that vendors or consultancy firms make money based on the total effort or time required to conduct an assessment. So, if the vendor is offering a free assessment, it will most certainly consist of a low amount of human input with a lot of automated reliance. What that will equate to is that the questions you answer will have a predetermined output that may or may apply to your organization.
While it may be tempting to engage these vendors for their services, consider engaging for a paid service to ensure that you are receiving value for your time.
Do Security Risk Assessments Vary from One Vendor to the Next?
There are two areas that will vary from one vendor to another when it comes to a risk assessment. The first is the framework utilized to conduct the assessment.
The framework, whether open source or proprietary internal, will dictate the steps, questions, components, and even risk rating during the risk assessment. If there is a framework that your organization would like to see utilized, include that as part of the requirements when discussing the engagement. Some vendors will be agnostic to the assessment framework, and others will specialize. There is nothing wrong with either approach. However, it is most important to get the framework your organization wants, as the assessments should be performed yearly, and this will provide a maturity metric.
The second big difference is in tools. Some vendors will have a well-provisioned team that comes to the engagement with a full toolbox that includes questionnaires, automated discovery tools, and even a GRC tool. Others will simply utilize an excel document to capture evidence as the assessment continues. An organization may be tempted to think that a vendor utilizing a lot of shiny tools will provide a better assessment, but this is not always the case. The reality is that those tools may assist with quickly gathering information, but a risk assessment tends to be a highly human-based activity. The vendor still needs expertise in evaluating threats, controls, and risks to provide value beyond the tools.
How to Choose a Risk Assessment Vendor?
To summarize some of the key points in selecting a vendor for the risk assessment:
It is important to clarify what your organization is expecting from the assessment. As covered in previous sections, start this process by defining the core framework or methodology that should be utilized to conduct the assessment. This provides the ability to have consistency from one assessment to the next.
Next, determine the scope of the assessment. Once the scope has been defined, find a vendor that can perform that scope. The skills required to do an enterprise risk assessment are not always the same as those doing an application risk assessment. Understanding the scope and desired outcome will allow you to ask questions about experience, key data required, and examples of previous assessments.
Match Risk Rating Methods
After this, make sure that the vendor risk rating system is the same as previous assessments. This goes beyond whether they use a 5×5 or add in additional factors. This goes into how they evaluate the impact and the likelihood. Make sure that this follows the previous assessment methodology and calculations to provide consistency in the overall risk rating for a finding.
Consider Travel Expenses
The final point to consider when selecting a vendor is whether your organization would require the vendor to come onsite to do any portion of the assessment. If this is the case, consider the cost of travel in the evaluation, as traveling can add significant cost to the overall contract. If it is possible that the vendor may need to come on-site, utilize a local vendor so that travel is not required or expensed as part of the engagement.