Just want to download the questions?: Click Here
Organizations perform Risk Assessments for a variety of reasons. These evaluations ensure compliance or to better understand the risks in their organization. These range from very granular assessments which aim to adhere to guidelines outlined by AICPA SOC2 Trust Services Criteria, NIST CSF, PCI-DSS, or HIPAA or assessments that are more technically focused such as internal and external penetration tests or general risk assessments.
Many of these are done as an audit, performed by an auditor without the practical experience of implementing IT systems, or performed by a sharp technologist with no experience adhering to critical control frameworks. This leads to I’s being dotted & T’s being crossed that don’t improve your security posture, or technology-only solutions that don’t move the needle on critical controls or position you for an audit or certification.
In addition, it is also very common for these assessments to neglect critical processes in Finance, HR, Operations, and Facilities such as:
1. Understanding the flow of cash through and out of the organization and where I am at risk with my customers or Supply Chain.
2. Understanding how well critical employment regulations are being met.
3. Understanding how sensitive data including PII or PHI flows both inside and to your 3rd-party suppliers.
4. How easy it is for all the above to be exfiltrated due to a lack of basic facility security and individual behaviors.
All of this leaves organizations with a nearsighted view of their security posture, or just gives a laundry list of issues to fix with little practical advice or effective solutions that will truly help your business to grow and succeed. That’s why we have created an assessment that is both lean and comprehensive. We’re not out to find out every single gap, we’re after examining your organization as a whole and helping executives and management get the big picture and have a roadmap to follow.
Here are a few general ideas about what you should know before choosing a risk assessment provider, as well as some specific questions you can ask to help you feel more confident when making your decision. If you’re interested in learning more about practical risk assessments, Dominion Security Partners is a trusted partner for risk assessments. [link here]. You can also download the list of questions from there in an easy-to-use format.
What experience does the assessor have in implementing IT systems?
Most risk assessments are performed by an auditor who has little experience in the practicality of putting in IT programs. They look to check off boxes to ensure regulatory compliance. While not useless, this often fails to take in a holistic view of your organization & the wide variety of needs, problems, and concerns that every organization has. Without the experience of someone who has developed, implemented, and managed IT programs, it can be difficult to provide practical advice to the organization. But hey, even if the assessment doesn’t tell you how to fix the issue, at least it checks a box for doing an assessment.
Here’s a list of a few questions to ask the assessor about their experience with IT programs:
1. Have you ever managed an IT project or deployed an IT system? 2. How do you assess the different IT needs across the organization’s departments? 3. How many years have you worked in IT? What roles? 4. Do you have any stories of IT programs that you helped improve? 5. What experience do you have in implementing IT initiatives?
How well do you understand my industry?
While every industry (as far as I know) has embraced the world of IT by now, it is not a one size fits all solution. Even IT programs within the same industry can be wildly different in structure with specific needs, tools, & regulations. Understanding the unique needs of your industry is imperative for the assessment to provide real practical advice for your organization. Even if they understand the compliance and regulatory requirements of your industry, that doesn’t mean that they understand how an IT program in your industry works.
Here’s a list of a few questions to ask the assessor about their experience in your industry.
1. What experience, if any, do you have in serving clients in my industry? 2. Are there any trends in IT specific to my industry that you feel we aren’t taking advantage of? 3. Do you have any success stories regarding my industry? 4. What is something that people in my industry often get wrong about our IT programs? 5. How do you balance the compliance & regulatory needs of my industry with the practicalities of running an organization?
How do you align short term IT needs with long term organizational goals?
Many organizations struggle to keep up with the ever-expanding day to day needs of IT. This makes it difficult for IT leaders to strategically align their initiatives with long-term organizational goals. Without a clear plan to communicate with other leaders in the organization of why & how certain initiatives should be prioritized it can lead to an unsustainable strategy of keeping your head above water. A great risk assessment helps align the IT department’s strategy with other leaders in the organization allowing for better synergy to reach long-term organizational goals.
Here’s a list of a few questions to ask the assessor about managing short term IT needs with long term organizational goals:
1. How can your assessment help me communicate the IT department’s strategy throughout the organization? 2. What practical steps does your assessment offer for dealing with short-term needs so we can focus on long term goals? 3. What is a specific issue your assessments typically solve for organizations like mine? 4. How does your assessment help our organization prioritize our current vulnerabilities? 5. What does your assessment provide for other leaders in my organization that help us stay aligned?
Who needs to be involved in my organization?
Time and money are two things that IT leaders never seem to have enough of. Assessments can be large time sinks that generate feelings of dread when you already have enough on your plate. Understanding who from your organization will be involved in the day-to-day assessment can help you better prepare for the assessment internally. With IT leaders often finding themselves double, or even triple booked, it can be daunting to feel like you must make time for an assessment, especially if that involves other leaders whose schedules can be just as busy as yours.
Here’s a list of a few questions to ask the assessor about who needs to be involved for the assessment.
1. How many hours of my time will be taken up by this? 2. Does the assessment require meetings with other leaders within the organization? 3. What can be done by my team to help in assisting with the assessment? 4. Who specifically in the organization do you need time with? 5. What can I do to save time in completing this assessment?
How does this help me communicate across the organization?
IT is complex. More than just tools & solutions across your environment it also includes the personnel management, IT operations, policies & procedures, & everything else that goes into managing an IT program. The need for all of this can be difficult to communicate throughout the organization & align with wider organizational goals because of the lack of a shared language with business & technical leaders. A great assessment helps bridge the gap of technical complexity into real actionable insights that other leaders understand.
Here’s a list of a few questions to ask the assessor about how their assessment can help with communication across the organization.
1. What deliverables will be provided at the end of the organization to communicate with stakeholders? 2. Is your assessment made in a way that makes it easy to share with a specific department its IT needs? I.e., Is it easy to share with Finance what’s applicable & appropriate with them rather than having them all need to read the full report? 3. How does this help me communicate with my leadership to get my initiatives done? 4. How is language kept consistent throughout the assessment to reduce confusion when explaining complex processes to different business leaders? 5. Are there any aspects of my organization that your assessment will not cover? For example, can you review the needs of all our departments or are there business areas which you do not provide advice on?
What differentiates your risk assessments from others in the market?
Let’s face it. It seems like if anything becomes marketed to the IT department, there’s fifteen competitors listed on Gartner the next day. Risk assessments are no different. Many organizations provide risk assessments so finding the right one for your business can be daunting.
It is good to understand what differentiates the risk assessment of one provider from another to best understand what aligns with your organization’s goals.
Here’s a list of a few questions to ask the assessor about how they differentiate from other risk assessments.
1. What is unique about the deliverables you provide to our organization? 2. Why would a customer in my industry specifically benefit from your risk assessment compared to others? 3. Is there anything in your assessment process that is different from many other assessors? 4. Where do you provide the most value in your assessments? 5. Do you have any stories about how your risk assessment compares to other competitors? (This one is clever because you are going to have to be dealing with this assessor for at least a couple of weeks, if they take the opportunity to rail on their competition, you should think twice about getting into a contractual engagement with them).
At Dominion Security Partners we help a variety of clients, including Federal, State, and Local government, enterprise & mid-market with the business side of their IT needs. If you found this list helpful, my narrative interesting, or smirked at one of my jokes, if you would please like & share this with others who you might find it useful, I would really appreciate it.
Dominion Security Partners is a trusted partner in providing our clients with a variety of security solutions, services, and assessments. If you are interested in learning more about our offerings or understanding more about how we perform risk assessments, please schedule a consultation: here.
Also, if you would like to download the list of questions in a more accessible format it is available: here.
Our Risk Assessment covers the following domains of your organization:
Cyber & Security Management:
Cybersecurity Governance
Identity & Access Controls
Endpoint & Network Protection
Application Security
Asset Management
Data Protection
Monitoring & Detection Capabilities
Development and Operations of Security Measures
Resiliency:
Backup and recovery strategies
Redundancy and fault tolerance mechanisms
Business continuity plans
Incident recovery processes
Business Area Security:
Organizational security
Finance security
HR security
Facilities Security
Compliance:
Regulatory requirements & Industry standards
Privacy regulations
Consumer protections
Standard frameworks such as HIPAA, PCI-DSS, NIST CSF / 800-171
IT Management:
IT strategy & governance
IT architecture & infrastructure
IT service management
IT project management
Dev/Ops & software architecture
About me: As someone who’s always found great fun in assessments (I’m a huge personality assessment nerd & love taking quizzes of any kind for fun, let me know what your favorite quiz is in the comments below and I promise I’ll take it), it has been satisfying for me to have the opportunity to help our clients make their businesses more secure & efficient through our variety of assessments.