Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementPhysicalSecurity NewswireSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Dreading security risk assessments? 6 ways to make them better

By Ryan Cloutier
risk-assessments-freepik1170x658v57026.jpg

Image by jcomp via Freepik

July 28, 2022

For a long while, companies in highly regulated industries were the main ones to undergo security risk assessments. But, that has dramatically changed in recent years. Today, risk assessments are critical for every business, from K-12 schools and government entities to hair salons and the donut shop down the street. Everyone needs them, but unfortunately — no one likes them. In fact, many organizations have come to dread the entire process. If a business is in need of a risk assessment — and trust me, they all are — and the security team is already stressed about what’s to come, read on for six ways it can be improved. 

 

  1. Understand the organization’s greatest risks and start there. 

The entire point of a risk assessment is to identify security gaps in order to create a plan to remedy them. Different businesses have different needs, which means they’ll have different security priorities. Yet, many risk assessments are structured in a one-size-fits all format. The first step in making risk assessments more palatable (and valuable) is to figure out what is most important to each individual business. 

For example, let’s consider an apple orchard. Getting adequate water to the trees is one of the top priorities, meaning that the systems that provide the water are a top priority. As such, they’re also one of the orchard’s greatest risks. A well-prepared risk assessment should factor this in, and make sure that the systems that deliver water to the orchard are the ones that are safeguarded first. Locking down the computer an administrative team member uses to make social media posts, on the flip side, might be a less of a priority in this case and therefore further down the list of things to focus on. 

 

  1. Be clear about risk tolerance. 

Just like one organization’s greatest risks won’t be the same as those of the next organization, their appetite for risk also varies. Again, most risk assessments don’t take this into account. Instead, each entity is treated as if it’s able to withstand the same severity of risk as the next organization. 

Of course, that isn’t the case. I work in cybersecurity, which means my tolerance for risk is higher than most other business practitioners. Whereas having my name, title and business address plastered all over presentations and websites is fine with me, teachers are not going to provide the same level of personally identifiable information (PII) about their students. Security professionals must be clear about the organization’s risk tolerance, and about which pieces of the business are mission-critical in order to ensure their risk assessment is accurate and useful. 

 

  1. Keep it simple (and human). 

Another major problem with most risk assessments is that they’re confusing, way too long and far too technical. Even though IT folks are often the ones conducting the assessments, it’s almost always business folks who are reading them and making plans to act on them. This creates a language disconnect that can be incredibly harmful to the security mission, as executives are less likely to approve measures they don’t understand — especially if they’re expensive. 

We have to make sure a risk assessment is appropriately thorough for each business, but doesn’t go far deeper than needed. A thorough and appropriate risk assessment should take two to four hours to complete in total, not weeks or months. Also, find out how the report is presented. Does it convey risk through the lens of business impact? The findings that are given should be prepared in such a way that a layperson within each industry could grasp them easily and quickly. 

 

  1. Streamline the process — and delegate. 

The mechanics of completing a risk assessment are usually a big part of what makes them dreadful. Practitioners have to build spreadsheets, initiate secure file transfer requests for data, sort evidence, ensure version control, keep everything organized and translate it all into something useful at the end. Not only is this cumbersome, but it’s also downright overwhelming. 

Risk assessments have to be comprehensive to be effective, but that doesn’t mean they can’t be simplified to save everyone time, spare them headaches, and give them a true understanding of what the organization’s risk really looks like. This is why it’s important to conduct a risk assessment that streamlines the process from start to finish. Ideally, the assessment team should help figure out how to delegate who answers which part(s) of the assessment and what the quickest way is to make that happen. 

 

  1. Go beyond compliance.  

If you’re in an industry bound by compliance (e.g. education, government, medical, insurance, finance, defense, etc.), remember one thing: compliance does not equal security. Read that again. While being compliant does not immediately mean your organization is secure, a secure organization will always result in better compliance. This isn’t to diminish the importance of compliance, but rather to emphasize the importance of taking additional risk reduction measures beyond your compliance checkbox. 

The security team should absolutely conduct Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), CJIS and other assessments, but then need to take the opportunity to improve and optimize your security posture outside of them. By stepping back and taking a more holistic approach to the way risk is assessed and managed, organizations will be positioned to achieve their goals while also maturing and improving their programs. 

 

  1. Get clear on next steps. 

Finally, one of the biggest gaps in most risk assessments is that they’re not actionable. They provide a list of everything that’s wrong about an organization’s current practices, but no roadmap for how to make changes. This is not only frustrating, but also completely ineffective and a waste of a good risk assessment. 

Make sure that whomever is providing the risk assessment not only gives the outcome of the assessment, but takes the time to help identify a path forward to improve the organization’s security posture. Remember in steps 1 and 2 of this article we talked about risk prioritization and risk tolerance. The provider that’s conducting the risk assessment should take those things into consideration when putting together a highly customized plan for what should be done next. Ideally, they should prioritize actions that can be taken to improve security so the security team can implement measures based on what will deliver the greatest impact and is most manageable. 

 

With the way most risk assessments are set up and conducted, it’s completely understandable why so many businesses, schools, state and local governments and nonprofits dread them. It doesn’t have to be this way. Take the steps outlined here to move toward a smoother risk assessment process and much tighter security. Get ready to breathe easier. 

KEYWORDS: compliance cyber security physical security risk assessment risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Ryan Cloutier, CISSP, is the president at SecurityStudio. A passionate cybersecurity thought leader Ryan can be reached at rcloutier@securitystudio.com.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

2025 Security Benchmark banner

Events

September 29, 2025

Global Security Exchange (GSX)

 

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • risk management freepik

    The value of better data in third-party risk assessments

    See More
  • hotel room

    3 ways to implement weapons detection technology for better hotel security

    See More
  • Cybersecurity passwords

    U.S. Consumers' Security Habits Make Them Vulnerable to Fraud

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing