Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Risk assessment needs a redo

By Patrick Murray
risk-assessment-freepik
August 27, 2021

The current state of risk assessments is in serious need of an upgrade. Risk assessment isn’t the sexiest topic, but it can’t be ignored, especially when you’re trying to pass an audit or protect your business from serious threats. It’s a fundamental concept but one that isn’t being done well and often, or many times isn’t being done at all. A survey of InfoSec auditors found that the three most commonly missed controls in a SOC 2 audit were risk assessments, penetration tests and internal audits. 

Whether it’s a matter of being viewed solely as a nuisance, or not understanding the process, or something else entirely, risk assessments aren’t being done the right way – and that can lead to multiple problems for businesses. A risk assessment is the only part of an InfoSec program that ties back to the “business risks,” which is what the CEO and Board of Directors care about. So, it’s too important to be ignored or done half-heartedly. It’s time for a risk assessment redo.

 

Understanding the risk assessment landscape

When looking at risk assessments, there are three main types of risk: financial, privacy and information security. To a certain degree, there is overlap between these three (think of it as a Venn diagram of risk), but the focus here is specifically on InfoSec risk – while acknowledging there is a crossover at times, particularly with privacy risk. 

Security risk is primarily focused on the ramifications of a potential breach and what needs to be done to avoid this. In addition, risk assessments are one of the most critical tasks for completing SOC2 and ISO 27001 audits, since it is the source of what you need to include in your audit scope of security controls.

 

What’s plaguing risk assessment

A primary issue with risk assessment is that it’s too often treated as an afterthought. It’s put into a spreadsheet, with a handful of risks outlined, and then shoved into a drawer, where it is then more or less forgotten about. A company can pull it out when an auditor or the boss asks to see it, but there isn’t necessarily a system to ensure that all the controls laid out have been implemented.

And, in part, due to being treated as an afterthought, many organizations then must scramble at the last minute to complete their risk assessment to pass the audit and get their certification. When this occurs, the assessment typically isn’t comprehensive, it misses many things, and it’s done in an overly accelerated, sometimes sloppy way.

What needs to happen first with risk assessment is identifying your risks; this requires a comprehensive look. Once you’ve located the risks, you need to think about how you’re going to mitigate them. 

In addition, most risk assessments don’t include a list of specific security controls, but these are essential to show how that InfoSec policy will be converted into action. Instead, people up-level their mitigation plan to vague statements that are difficult to explain and even more daunting to operationalize. It would be best if you defined specific controls associated with each business risk, so you have an actionable task to mitigate each risk.

Most people don’t have any “connective tissue” validating that the controls outlined in their risk assessments have been indeed mitigated and at all times. For example, if you stop encrypting data at rest, your data protection risks are exposed again. If you care about risks, you need to make sure your controls are what they call in the industry “operational.” Otherwise, your initial risk remains. 

     

Three keys for a better approach

Cyber risk is too significant a reality to treat in such an offhand manner. To get back on track, use these three keys to better risk assessment and control:

  1. A risk library tied to strategic objectives – Spend the right amount of time thinking about all your business risks. Most risk assessments fail during this stage since many people don’t know which risks to consider. Fortunately, there are now automated tools on the market that have comprehensive risk libraries to help you out if you’re unsure which risks to consider.
  2. Mapping controls to risks automatically – Ensure your risks are reduced by defining detailed mitigating controls to each risk. If you do not know which controls to define, there are automated tools that map risks to sets of controls for you. 
  3. Make sure you know if those controls are operational in real-time – You must actually prove that your controls are operational. If it’s just an Excel sheet in a drawer, you can’t do that. Proof means that a control has been implemented and remains operational (which means you have evidence that the control is still in place). Again, automated InfoSec management tools take the pain out of this process by automatically collecting evidence and verifying that your controls are operational in real-time.  

 

It’s all about mitigation

The state of risk assessments in the U.S. is lagging. Most auditors would say that most of their clients don’t even have one today, and it’s an afterthought until it comes to the SOC 2 attestation process. If they have done them, they are often done poorly, frequently not identifying the right risks or enough risks. But InfoSec is all about risk mitigation: identifying what you value first and then defining how to protect it. Use the three critical steps noted above to redo or initiate your risk assessment process, and you’ll be on your way to a happier board and a more secure organization.

KEYWORDS: business continuity cyber security information security risk assessment risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Patrick Murray is Chief Product Officer at Tugboat Logic. He previously was Vice President, Products at DataVisor. Prior to that, he served as Senior Vice President of Products at Zimperium, and as the Vice President of Product Management of Zenprise.

 

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

Half closed laptop

Sudo Vulnerability Discovered, May Exposes Linux Systems

Events

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Comprehensive Risk Assessment

    Tips for crafting a comprehensive risk assessment

    See More
  • 5 mins with Howlett

    5 minutes with Tony Howlett - Vendor risk management needs to be a top security priority in 2021 and beyond

    See More
  • Cyber Tactics

    Best Practices for Conducting a Cyber Risk Assessment

    See More

Related Products

See More Products
  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • Physical-Security-and-Safet.gif

    Physical Security and Safety: A Field Guide for the Practitioner

See More Products

Events

View AllSubmit An Event
  • August 27, 2025

    Risk Mitigation as a Competitive Edge

    In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.
  • June 24, 2025

    Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

    ON DEMAND: For today's security teams, making informed decisions in the first moments of a crisis is critical.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!