jason-hengels-security-hallwayWhether it’s a Chief Information Security Officer (CISO) who has just started with a new company or a security team that’s just launching a cyber security program for their company, the first question before diving headlong into a cybersecurity strategy is often “where do we start?”

Some CISOs and security teams end up heading down a “paralysis by analysis” quagmire where they struggle with prioritizing which areas to focus on first.

For Jason Hengels, Founder and CISO for Hire at Exposure Security, a solid starting point is by assessing an organization’s critical assets and their vulnerabilities and then developing a risk-based roadmap for addressing them.

“What I’ve found is that the only way to articulate a strong business justification for a security-related initiative is by stepping back and figuring out what assets you have, how critical they are, and what vulnerabilities there are,” said Hengels. “When I do Virtual CISO work, I’ll put together a list of vulnerabilities and do a risk rating on them on a scale of 1-to-100.”

If a recent survey of financial advisers is any indication, companies are heading in the right direction with risk assessments but there’s still room for improvement. According to a 2016 report entitled “Is Your Data Safe? The 2016 Financial Adviser Cybersecurity Assessment” conducted by the FPA Research and Practice Institute, 57% of the 1,015 survey respondents have documented governance and risk assessment policies and procedures in place.

Part of the value of conducting a cybersecurity risk assessment is that it helps CISOs to prioritize which activities to address along with the level of effort and resources that need to be assigned to each, said Hengels. This enables CISOs to share with senior management the level of risk attached to each initiative and what’s required to remediate in terms they’ll be able to understand, he explained.

This includes pulling in internal software developers who would normally be working on applications aimed at increasing revenues or delivering other monetary or productivity benefits to the enterprise.

“Conducting a risk assessment can help you to figure out what the best bang for the buck is in prioritizing security improvements,” said Hengels. “You can often get people on the same page since they’re talking the same language.”

For companies that don’t have any experience in conducting cybersecurity risk assessments, Hengels recommends working with a third-party firm that isn’t overpriced. He said that most risk assessments can be conducted for between $5,000 to $10,000.

“Do your due diligence - make sure it’s someone that’s been used in that capacity before and has done a reputable job,” said Hengels. From there, CISOs and security teams should plan to conduct risk assessments at least once a year, regardless of whether they have a compliance mandate or not. The risk assessment should drive the security strategy for the next 12-to-18 months.

To learn more about top cyber security trends and best practices, check out our upcoming CISO summits.