Security Risk assessments are essential activities performed on your company’s security infrastructure that reveal threats to key corporate assets and vulnerabilities in your current security controls. The ultimate goal of a risk assessment is to define appropriate safeguards tailored to your company’s risk assessment objectives, risk profile and priorities. Many companies also conduct risk assessments as a key part of security regulation compliance.
What Do You Want from a Risk Assessment?
Having clarity as to what you want is key in getting what you need. However, a good risk assessment service provider will help you determine what you need. One thing to keep in mind is that the term risk assessment refers to at least 20 different tests and projects that can be performed to analyze anywhere from all your security to testing for specific weaknesses (see the Alternatives chart for some examples).
What are Your Security Risk Assessment Objectives?
- Become compliant with a specific security regulation?
- Satisfy a customer’s requirement that you become compliant with their regulations?
- Independent view of your security to see where you have risks
- Understand where you should budget for future security spending
- Assess a specific risk concern (like external hacker, phishing or wireless risks)
What Will I Get When I buy a Risk Assessment?
What you get depends on what your objectives and what you have requested. What you should get is a solid statement of work (SOW) before you agree to a project. If you are going to compare that proposal to others, make sure you ask for exactly the same thing from all providers. The SOW should include 1) purpose, 2) what work will be done, 3) impact on your organization, 4) possible result outcomes, 5) report format etc. See our next article on How to Buy a Risk Assessment for more insight.
How much will it Cost?
The cost depends on what the project entails. There is no monolithic price for a risk assessment (see chart above). Once scoped and defined, the price will vary by 1) the risk assessment objectives, 2) size of your organization, 3) security tests and projects to be performed. Compliance level objectives and larger organizations increase the projects complexity and price. We have seen risk assessment costs range from under $1,000 (for simple tests) to over $50,000, so be clear on what you want and what you are being quoted. Right-sizing the risk assessment service provider to your company will ensure that they are in tune with your size and type of business.
How Long will it Take?
Length of time to do a risk assess depends on both how many tests are performed and how responsive your organization is in providing information to the risk assessment service provider. Most projects for mid-size companies take between 1-4 weeks.
We are in the business of helping customers get what they want and need, so contact us to discuss your needs and any questions you might have.