If you asked me what the first item of business would be for me as a new CISO or CIO in an organization, my answer would be to perform a cyber security risk assessment to improve overall security management. Actually, I’d probably install an espresso maker, but risk assessments would be a close second. Having a risk assessment done involves identifying the main functions or processes in your business, then qualitatively measuring risks associated with each.
Since time and resources are limited, risk assessments should center around the most important things for your business. For example, if you are an online retailer, your risk assessment should focus on resource availability and credit card data confidentiality. If you are a health care provider, your priority would be protecting patient data and keeping real-time medical systems available.
Risk assessments are valuable because they provide a road map of vulnerable business processes, allowing you to focus your time, tools, attention, and education where the organization needs it most, or the cyber risk is highest. As a third-party risk assessor, here are some tips and tricks I’ve picked up over the years that I’d like to…
