Here’s an uncomfortable truth: too few mid-market companies are doing regular cyber risk assessments, and some aren’t doing them at all. According to CompTIA’s State of Cybersecurity 2025,” report, “fewer than 6 in 10 organizations use a formal risk management framework, and roughly a third are only assessing risks informally, if at all. Meanwhile, nearly 68% of mid-market executives fully expect someone to try to breach their systems this year (2025 RSM US Middle Market Business Index Cybersecurity Special Report.)
That gap, between the threat executives anticipate and the rigor they are actually applying to identify and mitigate risk, is exactly where breaches happen. Closing this gap starts with one non-negotiable discipline: the cyber risk assessment.
I sat down with Marty Menard, former CIO for Pacific Coast Companies (PCCI). I asked him to help me dig into the specifics of why regular assessments are essential to maturing a cyber program. Today, Marty serves as Advisory Board Member for PCCI and for Wellesley Information Services and he has 35+ years in technology leadership with global companies like Intel, HP, and Rabobank. He is…
