Use Security Assessments in the Right Order to Prioritize Cyber Security Program Investment Decisions to Materially Increase the Return on that Investment


Organizations, whether driven by external regulations or internal policies, have traditionally relied on an uncoordinated mix of information security assessments that has left practitioners describing risk in the language of missing controls. This ‘missing controls’ view naturally leads organizations to try and implement every security control, everywhere, all of the time, which is an unobtainable goal in an increasingly digital world.

Every organization must find a way to focus its scarce resources on what matters

Cyber risks are constantly changing. Just think about the rate of technology change in your business as it makes its digital transformation, and it’s growing use of social, mobile, analytics and cloud technology. Not to mention the coming internet of things ‘tsunami’ that will continue to drive their consumption at exponential rates. Now consider the accelerating volume and sophistication of cyber-attacks, and their ascendance onto the board agenda. Every organization, therefore, has to find a way to focus its cyber security program investments onto the controls that matter and provide it with the greatest level of protection from its most likely threats. The trick, it turns out, is to conduct assessments in the right order to reinforce one another mutually.

No single type of security assessment is sufficient to protect an organization’s information and technology assets adequately

Most information security program assessments fall into two broad categories, risk-based security assessments, and controls-based security assessments. Each has its set of strengths and weaknesses, and neither group alone is sufficient to protect an organization’s information and technology assets adequately.


Controls-based assessments are framework based, and the frameworks, are either specialized to meet the needs of specific industry regulations, or more general in nature. When dedicated to a particular regulation, these assessments are also known as compliance-based assessments.

The majority of organizations are subject to regulatory and industry-mandated compliance. These requirements may only apply to specific sectors such as medical or financial or have broader national and even international obligations. For example, a Sarbanes-Oxley (SOX) control objective might be implemented in a manner only applicable to those processes and technologies supporting financial systems.

On the other hand, more general frameworks can potentially evaluate an abundant range of controls and are meant to address risk across a broad range of information and technology assets. This type of assessment leverages an IT security framework (e.g. NIST CSF/SP800-53, ISO 27001/2, or COBIT) as a “blueprint” to manage risk, reduce vulnerabilities, and to baseline the cyber security program

Risk-based assessments take a different approach that puts the asset, rather than the control, front-and-center. The first step is to identify, locate and classify information and technology assets. The next step is to conduct a threat modeling exercise against those assets and develop a clear understanding of the means, motives, and opportunity attackers may have to compromise them.

Assessments should be conducted in the right order to reinforce one another mutually

The insight gained from this is to conduct assessments in the right order to reinforce one another mutually. Begin with a risk-based assessment to understand the highest value assets and associated threats because starting here will protect the organization from oversubscribing security controls. Furthermore, risk-based assessments (when done periodically) should be near real-time, gated by the change control process, and able to provide immediate feedback on the sufficiency of controls within an organization.

Working this way addresses more risk with existing budgets

Defining a set of key controls in this way enables an organization to more quickly adapt a set of security controls and right size it to their specific threat-based needs. It ensures an organization is making investment decisions based on actual risks, and ultimately leads to more risk is being addressed with existing budgets and a greater return on investment for a cyber security program.



Leave a Reply

Your email address will not be published. Required fields are marked *