"I think this is a colossal failure in asset-liability risk management," - Mark T. Williams, a former bank examiner for the Federal Reserve, referring to actions that led to Silicon Valley Bank's seizure by federal regulators.*
In simple terms, a risk assessment is an organized way to calculate the "bad things" that could happen to your business and helps you decide which vulnerabilities you should mitigate.
By outlining the probability and impact of each potential threat, the risk assessment empowers smarter decisions by business managers and IT security staff.
More formally, a risk assessment is "the process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system."
– NIST SP 800-30*
In other words, A risk assessment is a formal process organizations use to identify threats and vulnerabilities that could negatively impact the security of critical systems or data's confidentiality, integrity or availability (CIA). The assessment includes people, processes, and technologies involved in storing, processing, or transmitting sensitive or valuable data.
Performing recurring security risk assessments provides a mechanism to evaluate changes in your attack surface against the evolving threat landscape, emerging trends, and new technologies.
Examples of changes that could impact risk:
- the introduction of a new product line or service offering
- introduction of a new software application
- changes to network topology
- mergers & acquisitions
- third-party products and services
- physical security
- remote workers
Why is Performing a Security Risk Assessment Important?
Cybersecurity and privacy risks remain among the top threats facing business organizations today. Increasingly, executives and the Board of Directors are held accountable for security & privacy risk management.
Moreover, mature cybersecurity and risk management program is a competitive advantage and supports growth by enabling sales. Quickly satisfy customer security requirements so you can focus on selling the value of your solution.
A proper risk assessment is a foundational building block for any company's information security program. Done right, the result of a risk assessment is an actionable plan that allows organizations to make informed decisions regarding what steps are required to address the identified security & privacy risks.
Here are three reasons to invest in a risk assessment:
- Risk assessments help to protect you against breaches. Perhaps one of the biggest reasons companies choose to assess their risk is to protect them against costly and disruptive data breach. Risk treatments help protect your business from cyberattacks and to improve the protection of private or sensitive data.
- Risk assessments give you data to prioritize improvements to your security. A risk assessment provides a logical framework to prioritize urgent issues that need attention. It also helps you balance the security budget with your business objectives and risk appetite.
- Risk assessments help to guide your security investment. A detailed risk assessment will determine which vulnerabilities take priority and why in business terms.
Attack Surface Analysis
Part of the risk assessment is determining your attack surface. The attack surface is the set of all possible points or vectors where an attacker can try to enter, cause an adverse effect, or extract data from your organization. Your existing and historical records help define your perceived attack surface or the one you knew about before beginning the new risk assessment.
An Attack Surface Analysis (ASA) is an essential component of a risk assessment because your organization's attack surface changes continually. Business growth, mergers & acquisitions and technology integrations introduce new attack vectors. Attackers constantly update their tactics, techniques and methods to exploit weaknesses quickly.
The attack surface you analyzed last year is out-of-date.
"That's out of scope!" - Said, No Attacker Ever
Attack Surface Analysis is about mapping out what parts of a system need to be assessed. The point of Attack Surface Analysis is to understand the risk areas in an organization's systems and inform the risk assessment. Security architects and pen testers usually perform the ASA.
A quality Attack Surface Analysis replicates real-world attackers' tactics, techniques and methods in searching for unknown and unexpected weaknesses in your defenses. Having your attack surface discovered by an ASA than an actual attacker is far better.
“Always assume that you will be breached and that your vendors and partners will be breached. Only by building a defense in depth strategy and a robust incident response plan can you prevent a possible breach from being an existential threat.”
- Andy Cottrell, CEO Truvantis, Inc..
Need Help Getting Started?
Truvantis can help you with your immediate security, privacy and compliance business needs.
We don't believe in one-size-fits-all security. Instead, we will create a customized program tailored to your business requirements. Our mission is to help you build practical & effective cybersecurity, privacy & compliance programs that balance budget and risk.
Truvantis® offers comprehensive expertise in implementing, testing, auditing, and operating information security, privacy & compliance programs. We've helped organizations of all sizes improve their cybersecurity posture through practical, effective, and actionable programs—balancing security, technology, business impact and organizational risk appetite.
Truvantis is a cybersecurity consulting organization providing best-in-class cybersecurity services to secure your organization's infrastructure, data, operations, and products. We specialize in helping our clients improve their cybersecurity posture by implementing, testing, auditing, and operating information security programs.
If you'd like to talk to an expert, we're here to help.
Andy Cottrell is the founder and CEO of Truvantis and was the co-founder and President of eRISC, a nonprofit supporting a US and UK community of banks, e-commerce sites and other financial services companies to combat online fraud.